Security & Trust Meeting 2010-10-21

From Direct Project
Jump to: navigation, search
Notes from Security and Trust Meeting
Date: October 21, 2010
Time: 2:00pm-3:00pm EDT
Attendees: Mike Berry, Mike Davis, Uvinie Hettiaratchy, Don Jorgenson, Dave Juntgen, Umesh Madan, Arien Malec, John Moehrke, Jack Ousey, Pat Pyette, Jas Singh

Current Actions

#
Date
Action
Status
Owner
Due Date
49
2010/08/26
Create a one page document further explaining the LDAP issue to be submitted to the Security and Trust WG at large for approval
Open
John Moehrke
2010/09/02
57
2010/09/09

Explore participation in the IHE North America Connectathon 2011 and a demo for the 2011 HIMSS Annual Conference

Open
Arien Malec, Didi Davis
On-going
60
2010/10/14

Direct Project Security Overview: Read, provide feedback and vote on the Call for Consensus

Open
Entire WG
TBD
61
2010/10/14

Certificate Pilot Recommendations: Read, provide feedback and vote on the Call for Consensus

Open
Entire WG
TBD
62
2010/10/14

Duplicate risk assessment for the XD* Conversions for Direct Messaging specification

Open
John Moehrke
2010/10/21
64
2010/10/21

Review and contribute to the Threat Model - Direct to and from XDR once John Moehrke finish the first cut

Open
Tim Andrews, David Houlding, Dave Juntgen, John Moehrke
2010/10/28
65
2010/10/21
Bring the Direct Project Security Overview up for an IG Call for Consensus
Open
Arien Malec
2010/10/28
66
2010/10/21

Provide comments on the Certificate Pilot Recommendations Discussion document

Open
Pat Pyette, John Moehrke, Mike Berry
2010/10/28

Actions from Last Week

#
Date
Action
Status
Owner
Due Date
49
2010/08/26
Create a one page document further explaining the LDAP issue to be submitted to the Security and Trust WG at large for approval
Open
John Moehrke
2010/09/02
57
2010/09/09

Explore participation in the IHE North America Connectathon 2011 and a demo for the 2011 HIMSS Annual Conference

Open
Arien Malec, Didi Davis
On-going
60
2010/10/14

Direct Project Security Overview: Read, provide feedback and vote on the Call for Consensus

Open
Entire WG
TBD
61
2010/10/14

Certificate Pilot Recommendations: Read, provide feedback and vote on the Call for Consensus

Open
Entire WG
TBD
62
2010/10/14

Duplicate risk assessment for the XD* Conversions for Direct Messaging specification

Open
John Moehrke
2010/10/21
63
2010/10/14

Review the XDR and XDM for Direct Messaging and edit upcoming risk assessment (see action item 62)

CLOSED
Tim Andrews, David Houlding, Dave Juntgen, John Moehrke
2010/10/28

Agenda

  1. Update on Calls for Consensus
  2. Focus Group on Risk Assessment of XD* Spec
  3. Open Discussion


Notes

Arien Malec

  • Recognized that Sean Nolan was not on the call
    • Indicated that Umesh Madan would be taking over for Sean Nolan in terms of the Security and Trust WG

Umesh Madan

  • Recognized that Sean Nolan has been pulled onto a number of projects in Microsoft in another direction
  • Stated that he has not fully caught up yet

Arien Malec

  • Suggested the WG review the same three items from last week:
    • Call for Consensus on the Direct Project Security Overview
    • Call for Consensus on the Certificate Pilot Recommendations
    • The threat model for XDR and XDM for Direct Messaging


Round on Consensus Documents

Arien Malec

John Moehrke

  • Stated that the Direct Project Security Overview is solid
    • Would hope so since he was the primary author
  • Indicated that he did not look at the Certificate Pilot Recommendations yet

Mike Berry

  • Indicated that still needs to look at both documents

Don Jorgenson

  • Stated that he has no problems with either document

Pat Pyette

  • Shared a problem with the Certificate Pilot Recommendations
    • Some entity can decide - creates a community
    • Post-pilot comment seems at odds
      • Hopefully national providers

Arien Malec

  • Responded that he thinks that is essentially what the document is trying to achieve
    • Short term = community based
    • Long term = national approach

Pat Peytte

  • Responded that it seems a lot of this is based on the community style approach
    • Privileges with certain memberships
    • Fundamental problem = conflation of identity with authorization attributes

Arien Malec

  • Agreed that it is an ongoing topic
    • In this case, they are primarily talking about identity

Pat Pyette

  • Suggested/Indicated that he is willing to reword some of the language
    • Its his ongoing concern - needs to be made clear

Arien Malec

  • Responded that Pat Pyette can contribute/suggesting some language in the comments section
    • We will see if we need make minor edit
    • Or a full consensus process regarding that
  • Indicated he will try to clean it up roughly

Pat Pyette

  • Responded that he will try to get done in the next few days

Dave Juntgen

  • Stated that he had only reviewed half of the Certificate Pilot Recommendations Document
    • Question about trust anchors
      • Any possible PHR?
      • Self-signed root certificate in test settings
    • Asked what is down the road
      • Specific CAs? (like Verisign?)
      • Or trust anchors through PHRs
    • Asked who does one go to validate these CERTs coming across

Arien Malec

  • Responded that currently each pilot project will determine the best/recommended CA for their pilot

Umesh Madan

  • No comment
  • Mentioned again that he did not have the chance to sync with Sean Nolan yet
    • Sean Nolan is out of town on some off-site projects
  • Indicated that he will read up on things to catch up for the next Security and Trust meeting

Arien Malec

  • Clarified that Sean Nolan wrote the first draft of the Certificate Pilot Recommendations document

Jack Ousey

  • Stated that he was halfway through the Certificate Pilot Document
    • Stated he likes what he sees so far
    • Will vote by the end of the day

Mike Davis

  • Indicated that he had been withholding until the vote
    • Has concerns about self-signed CERTs

Arien Malec

  • Indicated that he will incorporate Brett Peterson's comment about PHI for the Direct Project Security Overview
  • Move on to the XD* specification threat assessment
    • Asked John Moehrke to walk them through it

John Moehrke

  • Stated that they could access his work so far from the threat models page
  • Reported there is not much to review right now
    • Doesn't read like the XDR you would expect
  • Recommended waiting until next week

Dave Juntgen

  • Clarified that the threat model from XDR would include clients + implementing the XDR

John Moehrke

  • Stated that the threat model is just about Direct to XDR
    • Wants to focus the risk of the assessment

Arien Malec

  • Decided to do a review the week after next to give John Moehrke sufficient time to complete the Threat Model - Direct to and from XDR
  • Decided to extend the Call for Consensus on the Certificate Pilot Recommendations document until the following review it:
    • John Moehrke
    • Mike Davis (from the VA)
    • Pat Pyette
  • Decided to pass on the Direct Project Security Overview for IG wide consensus
  • Thanked everyone for their time
    • Will meet the week after next