Consent Receipts in UMA

From IIW

Consent receipts in UMA

Tuesday 5A

Convener: Sarah Squire

Notes-taker(s): Sarah Squire

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

IIW21 TU 5A ConsentRecpt.jpg

Sarah Squire (playing the part of Alice), George Fletcher (playing the part of Bob), John Wunderlich (playing hte part of the authorization server), and Susan Carvic?) acted out the UMA flow with consent receipt opportunities. The pumpkin is the resource, the water bottle is the token, and the projector cap is the permission ticket.

Data from       Data to Consent statement Alice (RO)      RS              “I, Alice, consent to store my resource with the RS and have it release my pumpkin” Alice           AS              “I, Alice, consent to delegate access rights to my AS” (consent directives/policy configuration) RS              AS              | “We consent to work together" AS              RS              | “ Alice           AS+RS           “I, Alice, consent to RS accepting AS and AS protecting RS” [Alice goes away] Bob             AS              “I, Bob, consent to reveal claims to the AS” (consent potentially involving PII) RS              Bob             “I, RS, consent to release the resource to Bob” RS              AS              “good faith notice”

Why can’t a system just keep a log on its own? What’s the point of generating a receipt for a person? The reason it’s valuable is that every time the system does something, without the individual having evidence, they may get skewed in their understandings. If they end up, say, in court, they can

What’s the difference between a consent receipt and a transaction receipt? Is a consent receipt just a subset of the generally useful concept of transaction receipts that are useful to humans but still machine-readable.

Is consent transactional or are there results of consents that happened earlier, such as by authorization policy? The UMA legal subgroup is trying to sort out what UMA flows count as “consent”, legally defined (for whatever jurisdiction), to see if this helps. OAuth-based consent is involved to generate the PAT and AAT.

The receipt could simply be seen as a contract. Agency law, which spans jurisdictions nicely, is nicely applicable to contracts, in which you have principals, agents, third parties, and sometimes even shared brokers. Notice (“good faith” in the US?) is required before consent.

What might be a better (less confusing/more accurate) name than Consent Receipts?

  • Consent Receipt References?
  • Contract Receipts?
  • Auditable Transaction Receipts (for the superset, including receipts about more than consent)?

How could a framework provide an answer for how to do the entire scope of receipt types? Human rights that go beyond contract have to be handled as well. Could @CommonAccord, which the UMA legal subgroup is looking at, be helpful? Its proprietor Jim Hazard has already been coding up the EU model clauses in the various languages.

How does a human get all of his or her receipts? Would a new ATR storage endpoint for ingesting receipts — which an AS or RS could expose — be useful? Should receipts be emailed? Heck, TripIt lets people forward un-machine-readable emails to a central storage place now. But not every service has asynchronous communications endpoints for the RO and/or the RqP.