Overview


The current specification defining Direct transport, Applicability Statement for Secure Health Transport v1.0, requires Security/Trust Agents (STAs) such as Health Information Service Providers (HISPs) to support a mechanism for certificate discovery (Section 2.3 Discovery of Recipient Certificates Prior to Sending). DNS is detailed as an option in Section 2.3 and is further specified in detail in Section 5.0 Certificate Discovery and Publication Through the DNS, but neither it nor any other particular mechanism is specified as required by the Applicability Statement. Feedback from the Direct ecosystem indicates the lack of a required mechanism is presenting challenges to vendors incorporating Direct into their solutions and to communities implementing Direct, risking wide-scale interoperability and exchange between providers in support of Meaningful Use.

To address this, it is proposed that discovery of certificates via DNS and LDAP as defined by the S&I Framework Certificate Discovery for Direct Project Implementation Guide be required for STAs.

Updates to the Applicability Statement


The necessary updates to the Applicability Statement to require discovery of certificates using DNS and LDAP as defined by the S&I Framework Certificate Discovery for Direct Project Implementation Guide are detailed below by section of the Applicability Statement. Together, these updates require that STAs be capable of discovering certificates using both DNS and LDAP; certificates can be published using either DNS or LDAP.

Abstract


Current Text

Optionally, certificate discovery of endpoints is accomplished through the use of the DNS.

Updated Text

Certificate discovery of endpoints is accomplished through the use of the DNS and LDAP.

Synopsis


Current Text

This document describes the following REQUIRED capabilities of a Security/Trust Agent (STA), which is a Message Transfer Agent, Message Submission Agent or Message User Agent supporting security and trust for a transaction conforming to this specification:

  • Use of Domain Names, Addresses, and Associated Certificates

  • Signed and encrypted Internet Message Format documents

  • Message Disposition Notification

  • Trust Verification

This document also describes the following OPTIONAL components of a transaction conforming to this specification:

  • Certificate Discovery Through the DNS

The scope of this specification is limited to the STA features that claim conformance to this applicability statement

Updated Text

This document describes the following REQUIRED capabilities of a Security/Trust Agent (STA), which is a Message Transfer Agent, Message Submission Agent or Message User Agent supporting security and trust for a transaction conforming to this specification:

  • Use of Domain Names, Addresses, and Associated Certificates

  • Signed and encrypted Internet Message Format documents

  • Message Disposition Notification

  • Trust Verification

  • Certificate Discovery Through the DNS and LDAP

The scope of this specification is limited to the STA features that claim conformance to this applicability statement

1.4 Associated X509 Certificates


Current Text

The organization SHOULD publish the certificates for discovery by other implementations for the purposes of encryption and signature verification. That MAY include use of DNS as described in this document.

Updated Text

The organization SHOULD publish the certificates for discovery by other implementations for the purposes of encryption and signature verification. To support universal certificate discovery, an organization that publishes certificates MAY do so using either DNS (see Section 5 of this applicability statement) or LDAP as described in the S&I Framework Certificate Discovery for Direct Project Implementation Guide.

2.3 Discovery of Recipient Certificates Prior to Sending


Current Text

For universal digital certificate distribution, STAs MAY support DNS-based certificate discovery as specified in this document. STAs that do not support DNS-based certificate discovery MUST have an alternate method for discovering recipient digital certificates, such as LDAP, obtaining digital certificates from prior e-mail exchanges of S/MIME signed messages or through some other out-of-band and thus manual means.

Updated Text

For universal digital certificate distribution, STAs MUST be able to discover certificates using both the DNS as specified in Section 5 of this applicability statement and LDAP as described by the S&I Framework Certificate Discovery for Direct Project Implementation Guide. STAs MAY support other certificate discovery methods in addition to DNS and LDAP, such as obtaining digital certificates from prior e-mail exchanges of S/MIME signed messages or through some other out-of-band and thus manual means.

5.0 Certificate Discovery and Publication Through the DNS


Current Text

This section assumes familiarity with the DNS protocol and DNS Servers. It describes how to use the DNS capabilities described in RFC 4398 in this context.

As noted, STAs MAY elect to support these capabilities to achieve universal certificate discovery. Certificate discovery and associated directories are an evolving area in the health information technology area, and STAs are RECOMMENDED to support multiple methods for certificate discovery.

STAs supporting discovery through the DNS MUST support the requirements in this section.

Updated Text

This section assumes familiarity with the DNS protocol and DNS Servers. It describes how to use the DNS capabilities described in RFC 4398 in this context.

As noted, STAs MUST be able to discover certificates using both the DNS as specified in this section and LDAP as described by the S&I Framework Certificate Discovery for Direct Project Implementation Guide. To achieve universal certificate discovery, STAs MAY elect to publish certificates in the DNS or using LDAP through the capabilities detailed in this section and in the S&I Framework Certificate Discovery for Direct Project Implementation Guide respectively.