Security & Trust Meeting 2010-05-27
Jump to navigation
Jump to search
Discussion on what constitutes PHI being exposed. Do addresses expose PHI?
Comment by David McCallie
Assume that a full address is PHI and a health domain is not.
Comment by Sean
What we are saying does not preclude use of any authorities for credentials, but might tilt people toward doing non-standard things.
Discussion about the ICAM certificate/model framework. [1]
Notes from NHIN Direct Security & Trust Meeting
Date: May 27, 2010
Time: 2pm-3pm
Attendees:
Brian Behlendorf, Nick Radov, Peter Clark, David McCallie, Richard Floyd, Vassil Peytchev , John Moehrke, Umesh Madan, Sean Nolan, Konda Mullapudi, Ron Cordell, Jack Ousey, Donald Bechtel, Walter Sujansky, Pete Palmer, Mike Davis, Brett Peterson, Jorgensen, Fred Trotter, Arien Malec, Kristina Kermanshahche
Actions from today
| # |
Date |
Action |
Status |
Owner |
Due Date |
| 26 |
5/27/10 |
Clarification on the must/should language on the individual certificates. |
Open |
Sean |
|
| 27 |
5/27/10 |
Sean to put out a vote for consensus by tonight. |
Closed |
Sean |
5/27/10 |
Actions from 5/24/2010
| # |
Date |
Action |
Status |
Owner |
Due Date |
| 24 |
5/24/10 |
Update the Keys for Consensus wiki page based on today’s discussion |
Open |
Sean |
5/25/10 |
| 25 |
5/24/10 |
Review the updated Keys for Consensus wiki page in advance of consensus vote on 5/27 |
Open |
WG |
5/27/10 |
Agenda
- Review action items from last week
- Around the room -- present any remaining specific issues with S&T Consensus Proposal v3. Limited discussion, goal is to collect outstanding issues that will cause NO votes.
- Discuss as needed
Desired Outcome: Formal workgroup call for consensus on wiki page by end of day.
Notes
| Name |
Issues |
| Brian Behlendorf |
No issues. There was an issue Brett brought up regarding the fact that you can encrypt but you still show that a patient is communicating with a provider. Do we want parties in the middle to be prevented from knowing that? |
| Nick Radov |
No issues |
| Peter Clark |
None |
| David McCallie |
None. SMIME can leverage existing MIME channels which are not necessarily TLS compliant. |
| Richard Floyd |
No |
| Vassil Peytchev |
2.4 and 2.6, if they are issues. 2.4 -Reservations about using domain and endpoint. This presupposes a particular implementation. To and from addresses having to be email addresses causes problems where end to end email implementation does not exist. We can let this be for now. |
| John Moehrke |
Remind the implementers that they have to do a risk assessment. |
| Umesh Madan |
No |
| Sean Nolan |
No |
| Konda Mullapudi |
No |
| Ron Cordell |
No |
| Jack Ousey |
No |
| Donald Bechtel |
No |
| Walter Sujansky |
None with the model given updated scope of the WG. |
| Pete Palmer |
None |
| Mike Davis |
In 2.4, where we are talking about the ability to use certificates generated by the participants itself. Leverage existing infrastructures before resorting to proprietary solutions. |
| Brett Peterson |
No issues with the document. |
| Don Jorgensen |
1) In the first sentence, the network is going to be a ‘secure channel’ vs. ‘secure methods’. 2) Exclusivity of X.509. |
| Fred Trotter |
2.7 - Needs to be more specific. Personally identifiable information should be encrypted. |
| Arien Malec |
No objections 2.4,2.6. Concerned about an IHE implementation. Warrants some rewording. |
| Kristina Kermanshahche |
Specificity around encryption. |
Discussion on what constitutes PHI being exposed. Do addresses expose PHI?
Comment by David McCallie
Assume that a full address is PHI and a health domain is not.
Comment by Sean
What we are saying does not preclude use of any authorities for credentials, but might tilt people toward doing non-standard things.
Discussion about the ICAM certificate/model framework. [1]