Implementation diagrams

.gitignore

@@ -6,3 +6,6 @@ vendor
 build
 .idea
 .vscode
+*.svg.bkp
+*.svg.dtmp
+.*.drawio.bkp

AAI/AAIConnectProfile.md

@@ -256,6 +256,9 @@ Internet Assigned Numbers Authority
         Current Practices", BCP 225, RFC 8725,
         DOI 10.17487/RFC8725, February 2020.
 
+<a name="ref-draft-ietf-oauth-security-topics"></a>
+[[OAuth-Security-BCP]](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) - Lodderstedt,  T., Bradley, J., Labunets, A., Fett, D., "OAuth 2.0 Security Best Current Practice", draft-ietf-oauth-security-topics-29, June 2024.
+
 <a name="ref-rfc9068">
 [[RFC9068]](https://datatracker.ietf.org/doc/html/rfc9068) --  JWT Profile for OAuth 2.0 Access Tokens
 

AAI/FAQ.md

@@ -9,6 +9,19 @@ A collection of questions (and hopefully useful answers).
 {% hr2 %}
 ## Background
 
+### Do passports capture details of access grants, such as data use and required vetting?
+
+Passports convey a grant to access data. They do not currently attempt to communicate any conditions or details of the approval process.
+
+Authorizations for researcher identities ("the collection of researchers that may access the dataset" as described in the DURI vision statement) are approved by a data custodian or data access committee (sometimes using an approval management system like DUOS or REMS). The approvals can be contingent on factors such as:
+
+* intended data use (in data access request) matches permitted data use (in data set metadata)
+* researcher reputation
+* identity proofing (verification)
+* etc.
+
+Some of these details could, in a future revision, be communicated in the passport for enforcement by the passport clearinghouse.
+
 ### Why Brokers?
 
 We have found that there are widely used Identity Providers (IdP).