<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>We don't want to presume that all data is tagged and friable.
That was a big debate earlier on in the group and we decided, and
I still believe, that that kind of data tagging is out of scope
for here. That's why it says "where possible". If it's not
possible to filter that data, you're not required to.</p>
<p> -- Justin<br>
</p>
<br>
<div class="moz-cite-prefix">On 6/9/2017 4:52 PM, Eve Maler wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMPbGmgCBeAMd=hwKt7thOJBB+DKS=F0fw=E7yvdnTYa14-FWQ@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">I'm thinking that it wouldn't hurt to have a bit
more disquisition on this topic in the OAuth+FHIR spec. :-)
<div><br>
</div>
<div>Here's what the spec <a
href="http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&url=https://bitbucket.org/openid/heart/raw/master/openid-heart-fhir-oauth2.xml#ConfidentialitySensitivity"
moz-do-not-send="true">says</a>:</div>
<div><br>
</div>
<div>"This specification makes no assumptions regarding the
ability of resource servers to tag and filter data. A resource
server that is capable of filtering information MUST advertise
this capability through the use of these scopes. Resource
servers SHOULD use this access information to filter out data
being returned to a client, if possible. If an access token
does not contain a given confidentiality or sensitivity
marker, the resource server SHOULD assume that the client does
not have access to that information and SHOULD apply
appropriate filters to the data, where possible."</div>
<div><br>
</div>
<div>Maybe a more direct way to state the last sentence is that
the RS SHOULD filter data with such a scope (do we even need
to say "where possible"? what are the conditions for that?) as
long as the scope <i>was not granted</i>. And then we should
give an example, so that the consequences are brought home to
the reader. Maybe even give the converse example too.<br
clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<p><b>Eve Maler<br>
</b>ForgeRock
Office of the CTO
| VP Innovation
& Emerging
Technology<br>
Cell +1
425.345.6756 |
Skype: xmlgrrl |
Twitter: @xmlgrrl</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-heart mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-heart">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a>
</pre>
</blockquote>
<br>
</body>
</html>