Overview


The current specification defining Direct transport, Applicability Statement for Secure Health Transport v1.0, requires Security/Trust Agents (STAs) such as Health Information Service Providers (HISPs) to support a mechanism for certificate discovery (Section 2.3 Discovery of Recipient Certificates Prior to Sending). DNS is detailed as an option in Section 2.3 and is further specified in detail in Section 5.0 Certificate Discovery and Publication Through the DNS, but neither it nor any other particular mechanism is specified as required by the Applicability Statement. Feedback from the Direct ecosystem indicates the lack of a required mechanism is presenting challenges to vendors incorporating Direct into their solutions and to communities implementing Direct, risking wide-scale interoperability and exchange between providers in support of Meaningful Use.

To address this, it is proposed that discovery of certificates via DNS no longer be optional but be required for STAs.

Updates to the Applicability Statement


The necessary updates to the Applicability Statement to require discovery of certificates using DNS are detailed below by section of the Applicability Statement.

Abstract


Current Text

Optionally, certificate discovery of endpoints is accomplished through the use of the DNS.

Updated Text

Certificate discovery of endpoints is accomplished through the use of the DNS.

Synopsis


Current Text

This document describes the following REQUIRED capabilities of a Security/Trust Agent (STA), which is a Message Transfer Agent, Message Submission Agent or Message User Agent supporting security and trust for a transaction conforming to this specification:

  • Use of Domain Names, Addresses, and Associated Certificates

  • Signed and encrypted Internet Message Format documents

  • Message Disposition Notification

  • Trust Verification

This document also describes the following OPTIONAL components of a transaction conforming to this specification:

  • Certificate Discovery Through the DNS

The scope of this specification is limited to the STA features that claim conformance to this applicability statement

Updated Text

This document describes the following REQUIRED capabilities of a Security/Trust Agent (STA), which is a Message Transfer Agent, Message Submission Agent or Message User Agent supporting security and trust for a transaction conforming to this specification:

  • Use of Domain Names, Addresses, and Associated Certificates

  • Signed and encrypted Internet Message Format documents

  • Message Disposition Notification

  • Trust Verification

  • Certificate Discovery Through the DNS

The scope of this specification is limited to the STA features that claim conformance to this applicability statement
Communities and vendors

1.4 Associated X509 Certificates


Current Text

The organization SHOULD publish the certificates for discovery by other implementations for the purposes of encryption and signature verification. That MAY include use of DNS as described in this document.

Updated Text

The organization SHOULD publish the certificates for discovery by other implementations for the purposes of encryption and signature verification. An organization doing so MUST include use of DNS as described in this document.

2.3 Discovery of Recipient Certificates Prior to Sending


Current Text

For universal digital certificate distribution, STAs MAY support DNS-based certificate discovery as specified in this document. STAs that do not support DNS-based certificate discovery MUST have an alternate method for discovering recipient digital certificates, such as LDAP, obtaining digital certificates from prior e-mail exchanges of S/MIME signed messages or through some other out-of-band and thus manual means.

Updated Text

For universal digital certificate distribution and discovery, STAs MUST support DNS-based certificate discovery as specified in this document. STAs MAY support additional methods for discovering recipient digital certificates, such as LDAP, obtaining digital certificates from prior e-mail exchanges of S/MIME signed messages or through some other out-of-band and thus manual means.

Section 5.0 Certificate Discovery and Publication Through the DNS


Current Text

This section assumes familiarity with the DNS protocol and DNS Servers. It describes how to use the DNS capabilities described in RFC 4398 in this context.

As noted, STAs MAY elect to support these capabilities to achieve universal certificate discovery. Certificate discovery and associated directories are an evolving area in the health information technology area, and STAs are RECOMMENDED to support multiple methods for certificate discovery.

STAs supporting discovery through the DNS MUST support the requirements in this section.

Updated Text

This section assumes familiarity with the DNS protocol and DNS Servers. It describes how to use the DNS capabilities described in RFC 4398 in this context. As noted, STAs MUST support the requirements in this section to achieve universal certificate discovery.