New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit logs to support legal enforceability #63
Comments
See http://www.eventedapi.org for a short spec governing how to do simple REST-style event notification. Combine it with JOSE signing and encryption to help the AM keep secure audit logs, thus supporting Binding Obligations goals? |
Also see the FHIR SecurityEvent proposal: http://www.hl7.org/implement/standards/fhir/securityevent.html |
Zhanna's spec text proposal sent in email for consideration on 2014-07-24 (this was discussed in UMA telecon 2014-07-17 http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2014-07-17 as well): Hello, The participants. Audit record.
Your comments are very welcome and appreciated. |
Agreed to backlog this. |
This is related to the Consent Receipts/MVCR work, which is, in part, being taken up by the legal subgroup in current meetings. See #180. |
Adapted from the 2012-08-01 ad hoc meeting notes:
We want to make UMA legally enforceable. How can the identity of Bob (the requesting party) get bound to any self-asserted claim he might make? If additional claims get collected in the "same session", you could, e.g., bind bob@gmail.com to the promise. Otherwise the consent is pretty weak, the same as today's browse-wrap. Server logs are going to be needed if we're to determine what obligations were agreed to. There's also a need to bind a persistent representation of the resource to this agreement. At a minimum, logs need to link to some authoritative source.
Do we need additional elements in the core spec (e.g. the security considerations, digital signatures over some elements) and/or in the binding obligations doc (e.g. an obligation to accurately record and securely store interactions) to capture this?
Note that, if a dispute comes down to evidentiary artifacts, today's circumstances are not all that great either. A lot of times, sites don't preserve copies of relevant EULAs. So the bar is fairly low if we want to achieve at least as much enforceability as we have in today's web apps.
The text was updated successfully, but these errors were encountered: