Consent Receipts in UMA
Consent receipts in UMA
Convener: Sarah Squire
Notes-taker(s): Sarah Squire
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Sarah Squire (playing the part of Alice), George Fletcher (playing the part of Bob), John Wunderlich (playing hte part of the authorization server), and Susan Carvic?) acted out the UMA flow with consent receipt opportunities. The pumpkin is the resource, the water bottle is the token, and the projector cap is the permission ticket.
Data from Data to Consent statement Alice (RO) RS “I, Alice, consent to store my resource with the RS and have it release my pumpkin” Alice AS “I, Alice, consent to delegate access rights to my AS” (consent directives/policy configuration) RS AS | “We consent to work together" AS RS | “ Alice AS+RS “I, Alice, consent to RS accepting AS and AS protecting RS” [Alice goes away] Bob AS “I, Bob, consent to reveal claims to the AS” (consent potentially involving PII) RS Bob “I, RS, consent to release the resource to Bob” RS AS “good faith notice”
Why can’t a system just keep a log on its own? What’s the point of generating a receipt for a person? The reason it’s valuable is that every time the system does something, without the individual having evidence, they may get skewed in their understandings. If they end up, say, in court, they can
What’s the difference between a consent receipt and a transaction receipt? Is a consent receipt just a subset of the generally useful concept of transaction receipts that are useful to humans but still machine-readable.
Is consent transactional or are there results of consents that happened earlier, such as by authorization policy? The UMA legal subgroup is trying to sort out what UMA flows count as “consent”, legally defined (for whatever jurisdiction), to see if this helps. OAuth-based consent is involved to generate the PAT and AAT.
The receipt could simply be seen as a contract. Agency law, which spans jurisdictions nicely, is nicely applicable to contracts, in which you have principals, agents, third parties, and sometimes even shared brokers. Notice (“good faith” in the US?) is required before consent.
What might be a better (less confusing/more accurate) name than Consent Receipts?
- Consent Receipt References?
- Contract Receipts?
- Auditable Transaction Receipts (for the superset, including receipts about more than consent)?
How could a framework provide an answer for how to do the entire scope of receipt types? Human rights that go beyond contract have to be handled as well. Could @CommonAccord, which the UMA legal subgroup is looking at, be helpful? Its proprietor Jim Hazard has already been coding up the EU model clauses in the various languages.
How does a human get all of his or her receipts? Would a new ATR storage endpoint for ingesting receipts — which an AS or RS could expose — be useful? Should receipts be emailed? Heck, TripIt lets people forward un-machine-readable emails to a central storage place now. But not every service has asynchronous communications endpoints for the RO and/or the RqP.