Security & Trust Meeting 2010-10-14
Jump to navigation
Jump to search
Notes from Security and Trust Meeting
Date: October 14, 2010
Time: 2:00pm-2:30pm
Attendees: Tim Andrews, Uvinie, Hettiaratchy, David Houlding, Dave Juntgen, Arien Malec, John Moehrke, Pete Palmer, Brett Peterson, Caitlin Ryan, John Williams
Date: October 14, 2010
Time: 2:00pm-2:30pm
Attendees: Tim Andrews, Uvinie, Hettiaratchy, David Houlding, Dave Juntgen, Arien Malec, John Moehrke, Pete Palmer, Brett Peterson, Caitlin Ryan, John Williams
Current Actions
| # |
Date |
Action |
Status |
Owner |
Due Date |
| 49 |
2010/08/26 |
Create a one page document further explaining the LDAP issue to be submitted to the Security and Trust WG at large for approval |
Open |
John Moehrke |
2010/09/02 |
| 57 |
2010/09/09 |
Explore participation in the IHE North America Connectathon 2011 and a demo for the 2011 HIMSS Annual Conference |
Open |
Arien Malec, Didi Davis |
On-going |
| 60 |
2010/10/14 |
Direct Project Security Overview: Read, provide feedback and vote on the Call for Consensus |
Open |
Entire WG |
TBD |
| 61 |
2010/10/14 |
Certificate Pilot Recommendations: Read, provide feedback and vote on the Call for Consensus |
Open |
Entire WG |
TBD |
| 62 |
2010/10/14 |
Duplicate risk assessment for the XD* Conversions for Direct Messaging specification |
Open |
John Moehrke |
2010/10/21 |
| 63 |
2010/10/14 |
Review the XD* Conversions for Direct Messaging and edit upcoming risk assessment (see action item 62) |
Open |
Tim Andrews, David Houlding, Dave Juntgen, John Moehrke |
2010/10/28 |
Last Month's Actions
| # |
Date |
Action |
Status |
Owner |
Due Date |
| 49 |
2010/08/26 |
Create a one page document further explaining the LDAP issue to be submitted to the Security and Trust WG at large for approval |
Open |
John Moehrke |
2010/09/02 |
| 51 |
2010/08/26 |
Bring following items up for consensus vote in WG: |
CLOSED |
Sean Nolan |
2010/09/02 |
| 57 |
2010/09/09 |
Explore participation in the IHE North America Connectathon 2011 and a demo for the 2011 HIMSS Annual Conference |
Open |
Arien Malec, Didi Davis |
On-going |
| 58 |
2010/09/09 |
Coordinate preparation of an XDD Threat Model (when time is appropriate) |
TABLED |
Sean Nolan |
On-going |
| 59 |
2010/09/09 |
Bring the Content Security for Simple Health Transport specification to the attention of the Documentation and Testing WG
|
CLOSED |
John Moehrke |
2010/09/15 |
Agenda
- XD* Conversions for Direct Messaging
- Direct Project Security Overview
- Open Discussion
Notes
Arien Malec
- Identified two orders of business for the meeting
- Direct Project Security Overview
- Review the document created by the Documentation and Testing WG
- Provide feedback in the form of comments
- Decide whether or not to support advancing to the Implementation Group for consensus
- XD* Conversions for Direct Messaging
- Launch a focused sub-team to perform a risk assessment of the XD* Conversions for Direct Conversions specification (formerly the "XDD specification"
- Follow procedure similar to the previous Threat Models
- Aim to eventually incorporate the XD* risk assessment into that document
- Direct Project Security Overview
- Suggested attacked these issues in the most expeditious manner
- Liked the idea of not doing the risk assessment as an entire group
XD* Conversions for Direct Messaging - Threat Model
Arien Malec
- Solicited volunteers for a focus group to perform a risk assessment of the XD* Conversions for Direct Messaging document
Round the Room
- Summary
- Yes: John Moehrke, Tim Andrews, Dave Juntgen, David Houlding (Review Capacity)
- No: Peter Palmer, Brett Peterson
John Moehrke
- Responded Yes
Tim Andrews
- Responded Yes
David Houlding
- Responded Yes
- Qualified "yes" by adding only in a "review capacity"
Dave Juntgen
- Responded Yes
Peter Palmer
- Responded that he could not commit at this time
Brett Peterson
- Responded that he could not commit at this time
Discussion on Next Steps
John Moehrke
- Volunteered to duplicate and send around the focus group
- Suggested following next steps:
- Examine what is there
- Are there any risks on there not applicable to the XD* environment?
- Are there any risks not there that need to be addressed?
- Move forward to assess the impact:
- Likely to end up with half a dozen additional issues
- Simply due to the way that XD* is laid out
- Likely to end up with half a dozen additional issues
- Examine what is there
- Indicated that upon sending out the document, John Moehrke will include pointers to the Deployment Models and appropriate specifications
- This is in case the XD* focus group members are not as familiar with said documents
Direct Project Security Overview
Arien Malec
- Direct Project Security Overview needs to be reviewed from a security perspective
John Moehrke
- Suggested bringing the document to the Security and Trust WG for a Call for Consensus
- If issues arise in the Consensus process, they can determine the next steps then
- The current document is a fairly "mature" model which was assembled by:
- Dragon Bashyam
- John Moehrke
- Will Ross
- Indicated that he will send around requesting WG members to review and comment
Arien Malec
- Requested that all Security and Trust WG members read, provide comments and vote on the Direct Project Security Overview
Open Discussion
Arien Malec
- Informed WG there will be additional work after the XD* risk assessment is completed
- Asked if there were any further agenda items
John Moehrke
- Asked about the efforts to put together something regarding certificate issuance
Arien Malec
- Responded that this was completed through the Best Practices WG
- Commented that this has been "consensus-ed" out of the Best Practices WG
- Sent to the Implementation Geographies WG for their input
- Recognized that this should also be reviewed by the Security and Trust WG
- Commented that this has been "consensus-ed" out of the Best Practices WG
John Moehrke
- Asked if the focus of the document was to provide guidance for the Implementation Geographies
Arien Malec
- Responded that John Moehrke was correct
- The document is aimed at a policy level
- Not so much a technical level
- But it would still be wise to have the Security and Trust "eye" over it
- The document is aimed at a policy level
John Moehrke
- Asked if a projected outcome was to make a more generic version of that to be applicable beyond the pilot projects
Arien Malec
- Responded that it could be more general
- Indicated that the intent of this particular document was to provide guidance to the Implementation Geographies
- Written from the perspective of a HISP as an organizational entity
- Would also be helpful to have a version where the HISP is a function
- The sending organization would have its own HISP
John Moehrke
- Asked if those additions should be included a second version or added to what is already there
Arien Malec
- Responded that they should create a separate document
- This is due to the fact that the Certificate Pilot Recommendations were crafted specifically for the Implementation Geographies
- Re-capped the action items
- John Moehrke and his focus group will do a first cut of the risk assessment for the XD* Conversions for Direct Messaging specification
- John Moehrke will first replicate the existing threat assessments and look for potential changes
- He will then send out this initial risk assessment to the focus group for review
- The Direct Project Security Overview will move to a WG for Call for Consensus
- The Certificate Pilot Recommendations will also move to a WG for Call for Consensus
- Look for changes that can be made to the existing document
- Open to suggestions for a different document with a broader set of use-cases
- John Moehrke and his focus group will do a first cut of the risk assessment for the XD* Conversions for Direct Messaging specification