Agenda

1. Discussion of the consensus draft statement up to and including the "Trust Beyond the Direct PKI Model."

Do you have any problems or questions with those sections where there is no red text? Are we able to reach consensus on those sections? If so, fine. If not, then where does the disagreement lie?

2. A "straw man" scenario, to take the trust temperature of the group members.

Suppose that there were an organization entitled DirectTrust.org. Suppose further that the two main responsibilities of this organization were:
a. To maintain a Direct Trust Store of Signing-CA root certificates that have qualified for "trustworthiness" via some method of certification. HISPs that used these root certs to sign organizational and individual certs would be assumed to have reached a level of standards, similar to but not necessarily the same as the FBCA criteria, and would therefore trust each other when approached with messages for delivery to their members.
b. To maintain and enforce a set of practices and rules which HISPs would agree to abide in order to be trusted in matters not specifically related to CA standards. These would include rules against spamming, identity spoofing, and could also pertain to authentication and ID proofing by HISPs and the organizations they serve. Protection of privacy would certainly be one of these best practices.

Discussion -- if this scenario were actual, would this provide a level of trust such that Direct exchange would occur unimpeded between HISPs who agreed to these rules?

• Note, this is NOT the same as asking "do you like this arrangement?" This is NOT a discussion of the practicality of such an arrangement.
• The idea is to determine whether or not such an arrangement -- in principle -- would establish HISP-HISP trust sufficient that Direct exchange would occur on a wide scale.
• If there is consensus about this, then I suggest we might then try to "peel back the onion" to see what are the advantages and disadvantages of such a scenario. And that would help us to fill in the blanks of the Consensus Statement in the sections that are unfinished.

Meeting Action Items

Clarify PKI definition in Rules of Road Doc - John to work with Brett to update document appropriately	John O	5/6/11
Complete red sections of rules of the road document	David K, David M, Brett P	5/6/11
Investigate splitting into focused workgroups to tackle open issues	David K	5/6/11

Attendees

• David Kibbe (AAFP) co-chair
• David McCallie (Cerner)
• Steven Waldren (AAFP)
• Brett Peterson (ABILITY) co-chair
• Noam Arzt
• Pat Pyette (Inpriva)
• Dan Kazzaz (Secure Exchange Solutions)
• Don Jorgenson (Inpriva)
• Pete Palmer (for Mark Gingrich)
• John Odden
• Sri Koka
• Brian Ahier
• Umesh Madan
• Boris Shur (Secure Exchange Solutions)
• Ryan Rubino (RIQI)

Meeting Notes

Review the Rules of the Road document to see if there is consensus on the initial sections (up to the ‘Trust Beyond the Direct PKI Model’ section)
o David Kibbe – opened conversation
§ Everyone on the same page?
o David McCallie – granularity will likely need further definition
§ Currently we have coarse-grained and fine grained designations
§ We should also have third level in the middle
o Dan Kazzaz
§ Document does not cover discovery
· David Kibbe: This is in red text and will need to be defined further
o John Odden
§ Second paragraph of the intro potentially requires some clarity around math based statements.
§ Perhaps we should form a separate group to work on this but we probably don’t need this much detail in this document
§ Group was asked if anyone wanted to dive deeper into this topic
· Everyone was content
§ PKI – the PKI definition and text may need some clarity
· David Kibbe asked John to work with Brett to clarify language around PKI
· John accepted
§ Would anyone object if this read “While these principals” instead of “while these mathematical principals”?
· Potential update for the document
o Umesh – rules of the road for CAs
§ “Must be maintained” wording could be a little strong
§ Important that a company can establish trust with any other organization without jumping through regulatory/approval hoops

New Topic – what is everyone’s comfort level with the current definition and understanding of what denotes Trust
o David Kibbe
§ What is groups’ temperature on trust? What does this mean?
§ Direct Trust.org… how does everyone feel about this?
o David McCally
§ We need to define what it means to trust someone from a technical standpoint
§ How do we prevent fragmentation as much as possible?
§ Direct Trust.org is an example
§ Define the rules of the road of what it takes to be a participatory HISP
o Brett – good
o Noam – wants to think more
o Pat – some reservation
§ Things in red in the document will probably need to be flushed out first
§ Don’t hold up this thought process and focus on rules of the road clarity
o Dan – great idea
§ Trust relationship that gets established happens on peer to peer level
§ Trust.org could establish trust but could also be directory of trust
o Don – want to make sure this structure accommodates HISPS that are not currently part of this group
o Brian – agrees conceptually but this needs much more detail
o Umesh –
§ Thinks global trust is very difficult
§ This might be interesting for an org to do this but this should be completely optional
§ This could be like a gold label
§ This should be purely voluntary and should not get in the way of two individuals exchanging a direct message
§ David M – ONC will be coming out with standards soon
· They will probably require a standards model
· People can use the direct protocols all you want
· But if you want to be associated with NHIN there will likely be a governance model
· Create the lowest possible barrier to establish trust with the NWIN regs in mind
o Boris
§ Concept of central trust is normal and could be an achievable goal

New Topic - How should we view granularity? What is appropriate level?
o David Kibbe
§ Opened conversation
o Brett
§ Need to find happy medium
§ We should have a lot of “should” statements in the document
§ We don’t necessarily need oversight
· But government may need to have oversight
o John
§ National organization could help smaller vendors
· Could Direct Trust.org help a smaller HISPs play with the big companies like Microsoft?
o Sri – agree with umesh
§ Two companies should be able to work with each other if they want to

David Kibbe
o What Brett, David K, David M will to do is to start address the red issues in the document
§ Perform this work as a starting point to work through the rest of these issues
o Need to think more about splitting this work group