BlockChain & UMA – Two Great Tastes… Do They Go Together?
Blockchain & UMA: Two Great Tastes …Do they go together?
Convener: Aaron & Eve Maler
Notes-taker(s): Eve Maler
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Note-taker: Eve (Heather audio-recorded most of the session too! I will forward when I get that...)
Aaron Davis, Eve Maler, Darius Donlap, Joe Andrieu, Adrian Gropper, Jin Wen, LaVonne Reimer, Mark Dobrinic, Heather Vescent, Christopher Allen, Joachin Miller, Shailesh
Are there opportunities to use blockchain and UMA together for the greater good?
Some properties of blockchain: Proof of existence by virtue of being on the chain at a point in time, and thus non-repudiation. This is like an audit log entry, and thus it acts like a receipt! The information on the chain “public" and out in the open.
Some properties of UMA: Protection (central) of resources (that are distributed). All the parts of the UMA flow are “private”.
Is there tension between them therefore? Not necessarily. Hashes of the relevant information can go on the chain. However, blockchains are long-lived vs. (say) bearer tokens, whose risk of being exposed is often partly through time-to-live strategy. Could you cut old stuff off the chain/ Yes, but you can’t delete those parts from all copies of the distributed chain.
Opportunities to use blockchain and UMA together that we identified so far:
1. Could post legal obligations/consent receipts/auditable transaction receipts on the chain. We liked this one a lot and thought it had the most immediate application. Blockchain implementations such as Ethereum, Enigma, etc. build non-repudiation with revocation and non-correlation in. This makes the “receipts” able to act like really flexible contract records.
2. Could layer blockchain-based DRM and licensing solutions on top of resources once UMA-based access is granted. Etherum is doing work that has DRM and licensing implications.
3. Could leverage provenance proofs in enforcing purpose-of-use limitations in UMA-based chained downstream chaining, which normally wouldn’t really be able to fully propagate these limitations in the “soft” (business-legal) realm. This would be like applying “chain-link confidentiality” at a technical layer; see this paper: http://www.papers.ssrn.com/sol3/papers.cfm?abstract_id=2045818 AGain, Thereum is doing work on provenance solutions, e.g. for supply chain use cases in medicine.
4. Finally, could use blockchain-based reputation data, which is typically desired to be public anyway, for UMA trust elevation processes prior to authorizing a requesting party for access and also for dynamic client registration. It may be early days for this. The example given was that in the health realm, CMS exposes data through the FHIR API and wants to release access to anyone using a qualified OAuth client app by reputation.
Apparently we fell prey to Noah’s Law! "Any conversation about decentralization eventually evolves into a conversation about reputation.” https://www.twitter.com/christophera/status/654106382967304192
It's been suggested that people interested in this topic are UNAnitarian blockheads. :-)