Notes from the Security and Trust Meeting
Date: August 26, 2010
Time: 2pm-3pm
Attendees: Tim Andrews, Donald Bechtel, Didi Davis, Mike Davis, Uvinie Hettiaratchy, David Holding, Erik Horstkotte, Don Jorgenson, Arien Malec, Greg Meyer, John Moehrke, Sean Nolan, Pete Palmer, Nick Radov, Jas Singh, Ioana Singureanu

Current Actions

#
Date
Action
Status
Owner
Due Date
43
2010/08/12
Approach Dragon Bashyam and Will Ross of the Documentation and Testing WG to assist with security considerations
Open
Pete Palmer and Iona
2010/08/19
46
2010/08/19
Review harmonized threat assessment on Security and Trust Workgroup page
Open
All
2010/08/26
47
2010/08/19
Monitor both edits to the table on wiki and discussion thread comments
Open
John Moehrke
2010/08/26
48
2010/08/26
Include statement regarding LDAP in the specification around DNS section
Open
Sean Nolan
2010/09/02
49
2010/08/26
Create a one page document further explaining the LDAP issue to be submitted to the Security and Trust WG at large for approval
Open
John Moehrke
2010/09/02
50
2010/08/26
Give a final review of Threat Model - SMTP with Full Service HISPs and Threat Model - Simple SMTP prior to call for consensus vote; Send comments on the following to John Moehrke or post on the discussion tab:
  • Inaccuracies
  • Additional risks
  • Changes to the existing risks
Open
All
2010/08/30
51
2010/08/26
Bring following items up for consensus vote in WG:
Open
Sean Nolan, Arien Malec
2010/09/02

Actions from Last Week

#
Date
Action
Status
Owner
Due Date
43
2010/08/12
Approach Dragon Bashyam and Will Ross of the Documentation and Testing WG to assist with security considerations
Open
Pete Palmer and Iona
2010/08/19
46
2010/08/19
Review harmonized threat assessment on Security and Trust Workgroup page
Open
All
2010/08/26
47
2010/08/19
Monitor both edits to the table on wiki and discussion thread comments
Open
John Moehrke
2010/08/26

Notes

Introduction

Sean Nolan
  • Revisited the following issue: The need to make a decision on the certificate distribution
  • Raised following question: Is the group comfortable with the current state with DNS or should the group consider LDAP as well?
  • Introduced possible options:
    • Wait until after the pilots have been completed
    • Support both DNS and LDAP in some cases?
      • Corollary: Only during the pilot face to see the different contenders
    • Do nothing aside a little education on the LDAP option
  • Expressed vote: Believes the exploratory nature is the most effective
    • The NHIN Direct reference implementations are currently at a reasonable state with the suggested DNS piece

Round the Room on Question

Nick Radov
  • No comment
Didi Davis
  • Expressed belief that NHIN Direct should keep its current configuration
  • However, since LDAP has great potential, believes the general approach should be exploratory
Greg Meyer
  • Supported the exploratory approach for the reference implementations
    • LDAP is worth exploring
    • However, NHIN Direct should advance the pilots with the existing DNS suggestion
  • Supported a dual mode where DNS is preferred
    • The reference implementation could fall back to key-store files
    • This would be supported by the agent
John Moehrke
  • Expressed the view that the DNS model that NHIN Direct developed is definitely worth exploring
    • However, John is concerned that the DNS model is the only option during the pilots
    • Asked if this option is meeting the low technology requirements for which NHIN Direct was intended
  • Added that LDAP is a good option, but also causes some problems when it comes to exchange
  • Suggested that another current method is sending a prior-signed message
    • This method still keeps the certificates stored fresh
  • Recognized that more choices are usually less preferred, however the WG may want to reconsider in this case
    • Specifically, these choices are wrapped up in very specific policy decisions
    • Believes that these are not the decisions which the group was empowered to address
    • Supported offering both choices to the pilot projects
  • Suggested "providing the choice as a potential decision for people above their pay grade"
Sean Nolan
  • Raised the possibility of changing the specification around what John is proposing
Tim Andrews
  • Most of his thoughts had already been addressed by others
  • Asked if there were any other possible issues that had not been addressed yet
  • Emphasized that the distribution of certificates is critical
Don Jorgenson
  • Expressed support the exploratory approach
    • Would not be comfortable with just DNS
David Holding
  • Representing Intel on behalf of Kristina Kermanshahche
  • Interested in LDAP and therefore prefers the exploratory approach
Erik Horstkotte
  • No comment
Arien Malec
  • Asserted the need for a universal system
    • Argued that manually sending messages with certificates will not be consistent with NHIN Direct
    • Agrees that in the long term LDAP may likely be the right solution
      • Specifically because LDAP provides directories
  • Asked how do you get universal discovery in this case
    • Suggested keeping their approach to NHIN Direct the way it is
      • However, willing to mention this is an exploratory phase
      • Further willing to mention that LDAP is being considered for the long-term
    • Asked to find ways to bridge the DNS mechanism and LDAP
    • Asked: How do you federate LDAP? (and discover the attached certificates?)
  • Raised last item: Brian is plugged into the thought leaders, could work through them to address the issue
    • Biggest Hurdle: typically they don't use signing or encrypting of e-mails
  • Supported current position, but support making it clear that it is an experience
Donald Bechtel
  • Expressed view that he is okay with current situation
    • Agrees with John Moehrke's concerns however
    • Stated that he is essentially on the fence
Pete Palmer
  • Made clear he is representing Surescripts
  • Expressed his support to bring LDAP up to the same level as DNS
    • LDAP has some nice features
      • Automated: chaining
      • Good for HISP to HISP rules
      • Replicating rules
      • E-mail clients support LDAP
  • Encouraged the WG to support LDAP on par with DNS and include in the pilots
Mike Davis
  • Stated no objections to the exploratory plans
  • Emphasized the need for the DNS approach to not affect any existing issues in the federal place
John Moehrke
  • Asked if the VA is going to be okay publishing certificates through DNS?
Mike Davis
  • Did not provide a definitive answer, but mentioned that the VA does use LDAP in a manner consistent with how John Moerkhe described earlier
Sean Nolan
  • Confirmed that the VA's use of LDAP is for its internal systems
Mike Davis
  • Responded yes
Ioana Singureanu
  • Asked if the group was referring to LDAP version 3
John Moehrke
  • Responded that it was his assumption as well
Ioana Singureanu
  • Compared LDAP v. DNS
    • LDAP may be desirable because of its authentication processes
    • DNS is desirable because it is more reliable (hence being a preferred option)
  • Believes the pilots will reveal which is the preferred option for NHIN Direct
  • Expressed vote: Try to include both in the pilot projects and learn
Arien Malec
  • Addressed the privacy standpoint concerns
    • Key point: They will be distributing public certificates
      • Not private user certificates nor keys
    • Stated that usually one wants the public certificate to be widely distributed
Ioana Singureanu
  • Responded that Arien is correct that you generally want to distribute the certificates widely
  • But added that you also do not want the authenticating body to change
John Moehrke
  • Responded that there may be certain certificates that should not be sent to the public
    • Not all companies want the list of all their employees published worldwide
    • Technically speaking this should not be a problem, because the risk of exposing keys is limited
    • However the risk lies in the attributes which are placed in the certificates
      • They are not asking for restricted distribution
      • Still the certificates may have broader purpose than NHIN Direct

Round the Room Summary

Sean Nolan
  • Reminded group that the end goal is to try to get to universality
  • Suggested following guidance to the pilots:
    • Pick a way to distribute certificates that is comfortable for all actors involved in your pilot
    • Then pick and choose reference implementations according to said need
  • Asked for and received no objections
  • Suggested: A statement about LDAP in the specification in the place DNS is implemented
    • The statement would augment the specification through more exploratory terms than earlier mentioned
    • Tell each pilot to choose what works best for them
    • Resolve to get universality by next year
John Moehrke
  • Further suggested a page dedicated to the issue
    • Volunteered to draft said document
    • Will run it through this committee before sending to Documentation and Testing WG
Sean Nolan
  • Added that he will take care of specification work
John Moehrke
  • Responded that his item will essentially explain why the spec page is fuzzy
    • Will explain the significance of LDAP in this conversation

Review of the Threat Models

John Moehrke
  • Gave an update on the work he did to harmonizing the threat tables:
  • Emphasized need to ensure the WG has identified all the risks stakeholders are worried about
    • Making sure the WG's evaluation is inclusive
    • Once comfortable they should document the required component of the spec as well as information compliance
  • Asked WG to look at the two pages listed above and report the following:
    • Inaccuracies
    • Additional risks
    • Changes to the existing risks
Sean Nolan
  • Thanked John Moehrke for his work and raising these salient points
  • Admitted that he was looking at these changes for the first time in detail
    • Plans to do his own complete review of them
  • Stated that people have had enough time by now
    • Asked that everyone send their comments to John Moehrke at latest by Monday
    • Otherwise those members lose out on the opportunity
Arien Malec
  • Reminded the WG that there will need to be consensus at the Implementation Group level
  • However, suggested a consensus round for this WG next week first
    • Asked WG to be prepared to vote for consensus
    • If you do not read it, then you will have to vote without having read it, and cannot choose revoke your vote later
Sean Nolan
  • Added to the agenda for next week that the aforesaid threat models are up for vote
Jas Singh
  • Introduced the Progress Tracker as a mechanism to keep track of key items across all WGs