California Trust Bundle Pilot

This page describes the implementation of trust bundles for a pilot implementation of the California Trust Framework (or the "CTF Pilot"). This trust framework will likely become the basis for the California Trusted Exchange Network (CTEN) envisioned by the California Association of Health Information Exchanges (CAHIE).
 
 

Trust Bundle Usage within the Community

The CTF Pilot concentrated on the policies, practices, and technologies to enable inter-organizational exchange (i.e., between HIOs, IDNs or other enterprise HIEs, etc) using Direct and Exchange specifications, as well as a federated provider directory architecture. Currently, the CTF Pilot publishes trust bundles for using Direct Project specifications to exchange health information among providers for treatment purposes, using query/response Exchange specifications to exchange health information among unaffiliated organizations for treatment purposes (i.e., Patient Discovery, Query for Documents, and Retrieve Documents), and federated provider directories using HPD specifications. Organizations on-boarded for inclusion into the the Direct, Exchange, or provider directory trust bundles must conform to policies and practices listed on the CHeQ wiki pages describing the California Trust Framework Pilot.
 
 

Technical Details

Production and staging trust bundles conforming to the Implementation Guide for Direct Project Trust Bundle Distribution Version 1.0 are published at [1]. Trust bundles are published by the California Health eQuality program as an unconditionally-conforming publisher, funded under California’s State HIE Cooperative Agreement Program. Trust bundles for Direct and Exchange include both production and staging bundles, the latter used for testing purposes during on-boarding procedures. The provider directory trust bundle is published without a corresponding staging/testing bundle.
 
  CHeQ is testing use of the Java tools developed as part of the Direct Reference Implementation to create its trust bundles.
 
 

Trust Bundle Packaging

The CTF Pilot publishes unsigned trust bundles with metadata. This format was selected to:
 
 

1. enable manual installation of trust anchor certificates using standard MS Windows tools until organizations update to automated means, and
2. discourage out-of-band distribution via email or other mechanisms.

But the end of the CTF Pilot, most of the Direct services had implemented the trust bundle content or distribution standards as a requester and therefore were using automated retrieval and installation. However, Exchange gateways and emerging provider directory implementations continue to update their trust stores using manual methods. The use of signed trust bundles and the requirement for specialized software to manage them was thought to be an undo barrier for the purposes of a pilot.

Metadata includes the full description of the trust profile, a “valid from” date comprising the date the trust bundle was created and published, and trust anchor certificate issuer and serial number information for all certificates included in the trust bundle. It does not include a "valid to" date. See the publication site for a listing of metadata included in each trust bundle.

Trust Bundle Distribution

Trust bundles are currently published at [2] conforming to the Implementation Guide for Direct Project Trust Bundle Distribution for unsigned trust bundles.
 
 

Trust Bundle Requesters

By the end of the CTF Pilot, all organizations implementing Direct had implemented the standards for automatic request and installation of trust bundles.
 
 

Findings

• It would be useful to include the organization to which the trust anchor certificate was issued, in addition to the issuer, in the trust bundle metadata. The issuer is of limited utility to many trust community members in identifying a trust anchor.
• While most Direct services implemented the trust bundle standards to retrieve and install trust bundles as Requesters, they found it difficult to manage anchors in their trust stores if they had installed multiple bundles and/or some point-to-point trust agreements and anchor exchanges.
• It was possible to implement a scalable trust framework for Exchange as well as Direct using the trust bundle mechanism as a replacement for the centralized certificate authority used by eHealth Exchange.
• It was possible to implement a scalable trust framework for California's federated provider directory architecture using the trust bundle mechanism as well. However, it proved of limited utility, as most participants chose not to implement peer-to-peer query connections which the trust bundle helped facilitate.