OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xspa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xspa] Proposed Agenda for October 10, 2008, 1:00pm ET call

Comments on XSPA-SAML-PROFILE-01.

 

High level comments:

* This document need to do a better job at explaining what it is covering and what it is not. SAML can be used for things other than requesting authorization decisions, so this document needs to carefully scope.

 

* There seems to be specifications in here that should be left to policy. I think this is the normal maturation of this document so have only included a few instances. XSPA should provide the infrastructure and examples of how these specific use-cases might use specific vocabulary, but it is unnecessary to define the normative use-cases nor the normative vocabulary (e.g. Purpose of Use – see below)

 

Specifics:

* Page 11: There is a specification for “Name” and “Organization” that make statements about US (not global) policy choice derived from HIPAA. This is not a general truth. The Name and Organization must be derivable under specific circumstances but in most cases are protected information. That is to say that to know the name of the user is not required in an ‘accounting of disclosures’, and would violate the privacy of the ‘user’ if exposed. Thus policies need to protect not just the patient but also the users. This said, I don’t think XSPA should get to this level of detail. This information can be set in policy

 

* Page 12: The specification of ASTM E1986 is not necessary and brings in standards that are not accepted globally. The roles should be bound in policy, not standard.

 

* Page 12: The mapping of ASTM role codes to NUCC is not necessary in XSPA. This detail is simply not needed in this document.

 

* Page 12: Not all systems use OIDs for roles. This is overly restrictive and not needed in XSPA.

 

* Page 12: Purpose of use. This is an interesting start on a purpose of use table. The development of this vocabulary should take place in a healthcare standards organization, I recommend HL7. XSPA should simply identify where purpose of use would be used when the policy has identified a purpose of use vocabulary.

 

* Page 14: Actions. It is useful to explain how in XSPA the action is identified. But it is unnecessary for XSPA to define a vocabulary. This vocabulary should be defined in a healthcare specific organization such as HL7.

 

Page 15: Resource. We should separate the ‘subject’ from the ‘resource’. That is the ‘resource’ is a protected resource for which the ‘subject’ has a stake. For example a ‘document’ is the resource, and the document contains healthcare information about the ‘patient’ as the subject.

 

Page 15: Consent directive. This needs lots of work. The method described is not clear and not functional.

 

Page 16: Resource Masking. Is this really needed in this standard? Resource Masking can be done in many ways. I recommend we put this one out of scope for now.

 

John Moehrke

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]