This post to the UMA WG challenges our OTTO presumption that federations are an inescapable precondition for the solution. The specific challenge comes from what Adrian says about the health record domain. —k
From: <firstname.lastname@example.org> on behalf of Adrian Gropper
Date: Wednesday, August 19, 2015 at 14:39
To: Eve Maler
Cc: "email@example.com UMA"
Subject: Re: WG-UMA Legal Use Case - User Managed vs. Controlled Access
Eve, I really don't see how to introduce UMA in HealthCare or anywhere else if the use-case is as in the university e-transcript case study. That model is unrealistic, at least in healthcare:
- Presumes adoption of shared data models and scopes (the HEAR in the demo) to a practical extent for authorization management. FHIR is moving in that direction and promises standardization for interchange purposes but authorization is a higher bar because it presumes that Alice's comprehension, state, and federal data protection mandates (42CFR) will align with the interchange standards. There is no reason to believe this alignment will happen. FHIR is governed by a group of industry peers for their interchange purposes. Authorization is not necessarily on their agenda. My example is healthcare specific, but I suspect it applies to most other verticals, probably even education.
- Presumes adoption of identity and other federations. There are absolutely no ID federations in healthcare and none are even on the horizon. Healthcare may be a more extreme case but we see similar behavior in many other industries that serve consumers. In finance, consumer ID federation is limited to small transactions at ATMs. Education is a misleading outlier because the participants are peer higher education institutions. ID federation will happen sooner or later but the path is far from clear and UMA should not wait if we want real-world adoption for IoT and selected verticals.
- The outsourced model for general purpose authorization management is currently the Apple App Store and they have no reason to adopt standards in the near term. We see the Apple authorization domain moving from the regular apps, to HealthKit apps, to payment, and now to HomeKit. UMA will enter the market as the standard for businesses that want to compete with Apple's strong privacy protections. Substitutability of the Authorization Server will be essential to competing with Apple and other walled gardens of authorization.
I'm not as close to other verticals as I am to healthcare but it seems to me that the evidence points in the direction of dynamic registration of the UMA Authorization Server first, followed by dynamic registration of the client second. Although I'd like to see every implementation of UMA include OIDC by default, like MITREid Connect does, the more we rely on federation of identity and standard authorization data models, the less likely we are to succeed.
AdrianUser-Managed Access (UMA); UMA where consent means Minimum Viable Consent Receipt (MVCR) needed; Value proposition and Real World use.