Notes:

  • Only thing to discuss is work team that produced Trust Criteria is ready to surface with the full group. Next step to get everyone in Best Practices Workgroup to provide approval or not.
  • Overview of document: Need for established criteria for how certificate authorities can be trusted by entities and how they decide to trust each other and accept trust certificates from them. Small subgroup compiled other Best Practices and other documents of certificate authorities in how they decide whether they have done due diligence and if they should be trusted or not.
    • Document is on Best Practices WG wiki page, CA subgroup. Documents section points out trust criteria for CAs
    • Arien: Was a hard time getting this document to right level. Think it's there now. Hard time saying too little or saying too much. Believe that there'll be a time shortly where as an industry we'll want to say more than this document does. Asked selves (from position of HISP or state or HIO making trust decision about whether to add a new trust anchor to board) what criteria should that entity follow to ensure highest appropriate trust and protect integrity of info exchange? Purpose of document is to provide guidance to organization participating in exchange.
    • Certificate policy document - define for a set of rules that govern issuance of certificates, what applicability of certificates conforming to those rules. In practice, most cert polices define level of ID assurance tied to certificate. In healthcare we'll need to get to cert policies that are covered entities, but that is more of a policy discussion - not technical. Problem is that there's a lot of cert policies - range doesn’t give level of assurance that people relying on for information exchange. Level of assurance provided by "I own this domain" is far less than what we'd expect for information exchange. Rather than give cert policy, document gives criteria and good examples for what a cert policy might look like. Subsections for orgs and for individuals. Orgs points out 2 ways of doing cert policies - (1) define rigorous criteria for validation of an organization. (2) to base cert issuance on an identified appropriately identity assured individual who vouches for organization. Key decision is - does certificate policy conform to the norms/rules of community w/ regard to key aspects for security including id assurance? For individuals - document notes that common term defines that cert authority maps cert policies to NIST levels of assurance. Notes that defined levels of basic and medium may be good reference points for Cert policy statements. Says should be looking at cert policy and looking at where they're consistent with basic and medium level assurance in FBCA as good starting points for min level of assurance for cert issuance for individuals.
      • Comments:
        • David McCallie - Title may be misleading. So many layers and levels. Seems like this is more of a Trust Criteria for CAs and for Certificate policy.
        • Problem in terminology in that cert authority is used in two diff ways - one as organization (verisign etc) or as CA route or trust anchor. "Evaluation Criteria for Trust Anchors" might be better title.
          • Really talking about layer 1 - trust the company, layer 2- trust the policy that led to issuance of a certificate including ID assurance, etc. Agree its all a chain, but upon first read, is the company trustworthy? Title revision that covers full scope.
          • Review criteria should be objective and evenly applied and any rejection of a trust anchor should have clear reference tothe objective criteria that lead to that rejection. Think it’s a Best Practice - notion that review criteria need to be objective, well defined and if rejected trust anchor that be done per objective criteria.
        • Assuming making change to title and best practice as above, is it reasonable to get to cenesnus this week and move to IG?
          • All agree that that makes sense.
          • Arien to make two changes discussed following David/David. Title/notion of review criteria being objective and denials. Then open up consensus round for WG, assuming WG consensus take to full IG next week.