[WG-IDAssurance] FW: ONC Recommendations
Palmer, Pete
Pete.Palmer at surescripts.com
Fri Feb 4 18:57:50 EST 2011
Here is a timely piece of information forwarded to us Rich Furr of SAFE Bio-Pharma. Thanks, Rich!
As you probably noticed, there was quite a lot of press of coverage this week of the official launch of the next phase of the "Direct Project" project ( http://directproject.org/ ) .
Here is a good link:
http://is.gd/7CMEm6
Have a great weekend.
Pete
---
Please see the attached recommendation from the ONC Privacy and Security Tiger team that was issued in June 2010. Most of the members of this team are now part of the Direct Project Security Work Group (me included) which is working to set the policies for the National Health Information Network.
I have highlighted key provisions to wit:
These security protocols and technologies will determine what "language" that given policies must speak. Most notably the decision to use the IETF X.509 standards for a PKI-based infrastructure will force NHIN Direct users to create trust policies that speak in terms of certificates, public key infrastructure and certificate authorities. Other protocol and technology decisions will have similar policy language implications; and
2.1 Use of x.509 Certificates. The NHIN Direct protocol relies on agreement that possession of the private key of an x.509 certificate with a particular subject assures compliance of the bearer with a set of arbitrary policies as defined by the issuing authority of the certificate; and
2.5 Sender identification. NHIN Direct messages must be reliably linked to the public certificates possessed by the sender, through standard digital signatures or other means that match the certificate subject to the sender's address or health domain. Implementations must reject messages that are not linked to valid, non-expired, non-revoked public certificates inheriting up to a configured Anchor certificate per 2.2.
2.6 Encryption. NHIN Direct messages sent over unsecured channels must be protected by standard encryption techniques using key material from the recipient's valid, non-expired, non-revoked public certificate inheriting up to a configured Anchor certificate per 2.2. Normally this will mean symmetric encryption with key exchange encrypted with PKI; and
". Implementations should also ensure that users can leverage existing credential management programs; for example, ICAM in the federal space (see related links).
It is interesting to note that Kantara is included in the related links section of the recommendations.
I also include urls for the various key Direct Project Work Groups:
http://wiki.directproject.org/Security+and+Trust+Workgroup
http://wiki.directproject.org/Best+Practices+Workgroup
http://wiki.directproject.org/Implementation+Group+%26+Our+Workgroups
Rich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20110204/d5241906/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Security and Trust Consensus Proposal.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 20709 bytes
Desc: Security and Trust Consensus Proposal.docx
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20110204/d5241906/attachment-0001.bin
More information about the WG-IDAssurance
mailing list