Security & Trust Meeting 2010-04-29

Notes from Security & Trust Workgroup
Status of Notes: DRAFT
Date: April 29, 2010
Time: 2pm-3pm
Attendees: Arien Malec, Laurie Tull, Fred Trotter, Justin Stauffer , Richard Floyd, John Moehrke, Joel Ryba, Sean Nolan, Umesh Mada, Ron Cordell & Brett Peterson
Actions for This Week

#	Date	Action	Status	Owner	Due Date
12	4/29/10	Group will read and comment on Basic Trust Model: //http://nhindirect.org/Basic+Trust+Model//	Open	All	5/6/10

Actions from Last Week

#	Date	Action	Status	Owner	Due Date
11	4/15/10	Create a definitive statement on trust enablement for NHIN Direct for Workgroup consensus and Implementation Group consensus by the 5/6 meeting. Statement should cover the level of trust, the handling of different roles, etc…	Closed	Fred Trotter & Sean Nolan	4/22/10

Notes

Walter Sujansky will walk us through his presentation on experiences in trust while developing CA Architecture. This presentation can be found here: [1]
- Proposed Technical Architecture
- Entity Registry Service
- Responsibilities of a Registered Legal Entity (1)
- Provider Directory Entries
- Provider Identity Service
- Example: Hospital Discharge Summary
- Summary:
  - The Core CS-HIE Services are intended to provide
    - 1. A trust infrastructure in which parties can determine the authenticity of HIE transactions that they receive from arbitrary counterparties
    - 2. A directory infrastructure in which parties can determine where and how to direct HIE transactions intended for specific recipients via the internet
  - Much technical and policy work remains to flesh out the design of these services
    - Define the policies surrounding the HIE certificate authority and the granting of Entity Registry entries
    - Define the technical design of Entity Registry entries and Provider Directory entries
    - Define the technical design of authentication and authorization assertions

Fred Totter discusses the Security & Trust WG Basic Trust Model: //http://nhindirect.org/Basic+Trust+Model//

This should ideally be two documents
- Technical document
- Individual and group certs needs to be different
- Addressing WKG is also dependent on this
- How are we handling different classes of certificates
- Create consensus around this and define how we want to do it
- Work with addressing group to decide how we are doing this
- Coordination between addressing certificates and security certificates
Comment from Arien
- NPI as a new item
  - Only clinicians can have NPIs
- How would you accommodate something like an immunization registry, or a quality registry?
Comment from John Moehrke
- NPI is not a security role
- The NPI could become a mandatory value
- Don’t need to discover a certificate out of band, you can discover the endpoint in band
- Agreed a directory is out of scope?
- Don’t mandate a certificate management structure
Comment from Sean Nolan
- Why do we need this mechanism to describe the difference between the role of the address
- Open issue: group/individual
- Working on an “email for help” model
Distinction between the endpoint at the indicated address in the directory entry (endpoint we consider to be a health network node)
- DEA role takes the same approach
Can’t offer a consensus document at the Face-to-Face
- Walter: trust model with multiple assertions
- Could we get to a simpler model if it were just push
- Most of the headings go back to the old, agreed upon headings
- Please say: I disagree with what you’ve said vs. how you’ve said it

Items not discussed

Any further comments wiki discussions:
- Org. vs individual certificates
- HISP narratives for discussion
- Message forwarding and messages to groups
Jonathan G. to propose the other two "As" going forward.

Security & Trust Meeting 2010-04-29

Navigation menu

Search