Trust Bundle Technical Approach Discussion
Jump to navigation
Jump to search
This wiki page is to facilitate the discussion of the Trust Bundle distribution technical approach which will be used in different contexts as identified by the user stories. The technical approach will guide the creation of the implementation guide for Trust Bundle distribution.
Table of Contents
Trust Bundle Actors and Transactions
The key actors and transactions for the technical approach are outlined in the diagram below:
Technical Approach Discussion Topics
The following are discussion topics related to the standards, protocols and content. The initial thoughts are based on work performed in the ABBI initiative and the Implementation Guide straw man that was circulated.
| Discussion Topic |
Initial Thoughts |
SWG Comments |
| Distribution via Query / Retrieve protocols v/s Push |
Query/Retrieve is being discussed in ABBI as the solution. This allows the requestor to download the trust bundle based on their local policies as needed and keep it updated. |
|
| Type of data (payload) that is being downloaded |
No PII or PHI, the data (payload) essentially is a list of public keys. |
|
| Transport protocol |
HTTP – Provides the required query/response capability and can be secured as required for the use case. |
|
| Transport Security (Message Integrity and Confidentiality in Transit) |
TLS 1.0 provides the necessary message integrity and confidentiality in transit as required for the use case. |
|
| Authentication |
TLS Server Authentication is sufficient for the use case. Requestors are not authenticated during the transactions. (No TLS client authentication). This essentially amounts to 1 way TLS. |
|
| Request / Response |
Should we use a RESTful interface with the resource being the Trust Bundle <TrustOrganization>/BasicTrustBundle ? Potentially new types of resources could be added to indicate other types of Trust Bundles like Behavioral Health Trust Bundle etc..? |
|
| Trust Bundle Payload and packaging |
PKCS#7 Signed Data or Unsigned Data – Provides a standard way to package the trust anchors. This is specified in RFC 5652. |
|
| Incremental Updates v/s Complete Bundle as payload in each response |
Do we need to consider incremental updates in the Response and indicate it accordingly or should we start with “Complete Trust Bundle package download” on each request and refine it later as we get further along. |
|