Security+and+Privacy+Workgroup+Meetings+Q1+2012

toc =2012 Q1 Meeting Minutes and Agenda=

[#2012-04-13]]

**2012-04-13 T-con**
NO MEETING TODAY DUE TO S&I FRAMEWORK FACE-TO-FACE MEETINGS THIS WEEK



**2012-04-06 T-con**
Agenda: > Roll – 1 min
 * Ann Clarke (LM)
 * Andrew Weniger
 * Antonio Perfeito (VA)
 * Ravi Cheekatai (Deloitte)
 * Benson Chang (Deloitte)
 * Bob Hall
 * Cbaba
 * - Chuck Hagen (Deloitte)
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris (LM)
 * - Dave Arvin (SSA)
 * David Degroot (Test Team)
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * Didi Davis
 * Ed O'Connor
 * Elicia Buchsbaum (Deloitte)
 * Gavin O'Brien
 * George Varghese
 * Gee Chia
 * - Igor Kalmykov
 * James Rachin (ONC Test Team)
 * Jeff Tunkel
 * Jocelyn Dabeau
 * Joe Lamy (Nitor Group)
 * Joan DuHaime
 * John Donnelly
 * - John Moehrke (GE)
 * - Josh Abraham (SSA)
 * Judith Hutman (Mitre Group)
 * Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting (IBM)
 * Laure Tull
 * Larry Burris
 * Les Westberg
 * - Marty Prahl
 * Mario Hyland
 * Mastan Ketha
 * - Michael Hunter (Test Team)
 * Michael Nenashev
 * Michael Talbot (VA)
 * Mike Levy (SSA)
 * Monalee Vyas
 * Neelie Bajaj
 * Negendra Midde
 * Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * Sandy Stuart (KP)
 * Sanjay
 * Scott Robertson
 * - Seonho Kim
 * Sergei Haramundanis
 * Sourabh Pawar
 * Srinivasa Kukatla
 * - Shrikant Gajengi (SSA)
 * Seravina V
 * Steven Cason
 * Tom Davidson (SSA)
 * - Victoria Beatty
 * Wendy Laposata
 * - Eric Heflin (THSA)

Agenda:


 * 1) Any blocking issues
 * 2) Working session for the NwHIN CP document.
 * 3) Roundtable



**2012-02-10 T-con**
Agenda: > Roll – 1 min
 * Ann Clarke (LM)
 * Andrew Weniger
 * - Antonio Perfeito (VA)
 * - Ravi Cheekatai (Deloitte)
 * - Benson Chang (Deloitte)
 * Bob Hall
 * Cbaba
 * - Chuck Hagen (Deloitte)
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris (LM)
 * - Dave Arvin (SSA)
 * - David Degroot (Test Team)
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * Didi Davis
 * Ed O'Connor
 * Elicia Buchsbaum (Deloitte)
 * Gavin O'Brien
 * George Varghese
 * Gee Chia
 * James Rachin (ONC Test Team)
 * Jeff Tunkel
 * Jocelyn Dabeau
 * Joe Lamy (Nitor Group)
 * Joan DuHaime
 * John Donnelly
 * John Moehrke (GE)
 * - Josh Abraham (SSA)
 * Judith Hutman (Mitre Group)
 * Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting (IBM)
 * Laure Tull
 * Larry Burris
 * Les Westberg
 * Marty Prahl
 * Mario Hyland
 * Mastan Ketha
 * Michael Nenashev
 * Michael talbot (VA)
 * Mike Levy (SSA)
 * Monalee Vyas
 * Neelie Bajaj
 * Negendra Midde
 * Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * - Sandy Stuart (KP)
 * Sanjay
 * Scott Robertson
 * Seonho Kim
 * Sergei Haramundanis
 * Sourabh Pawar
 * Srinivasa Kukatla
 * - Shrikant Gajengi (SSA)
 * Seravina V
 * Steven Cason
 * Tom Davidson (SSA)
 * Wendy Laposata
 * - Eric Heflin (THSA)

Agenda:


 * 1) Any blocking issues
 * 2) Working session for the NwHIN CP document
 * 3) Roundtable



**2012-02-03 T-con**
Agenda: > Roll – 1 min
 * Ann Clarke (LM)
 * Andrew Weniger
 * Benson Chang (Deloitte)
 * Bob Hall
 * Cbaba
 * - Chuck Hagen (Deloitte)
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris (LM)
 * Dave Arvin (SSA)
 * David Degroot
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * Didi Davis
 * Ed O'Connor
 * - Elicia Buchsbaum (Deloitte)
 * Gavin O'Brien
 * George Varghese
 * Gee Chia
 * James Rachin (ONC Test Team)
 * Jeff Tunkel
 * Jocelyn Dabeau
 * - Joe Lamy (Nitor Group)
 * Joan DuHaime
 * John Donnelly
 * - John Moehrke (GE)
 * Josh Abraham (SSA)
 * Judith Hutman (Mitre Group)
 * Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting (IBM)
 * Laure Tull
 * Larry Burris
 * Les Westberg
 * Marty Prahl
 * Mario Hyland
 * Mastan Ketha
 * Michael Nenashev
 * Michael talbot (VA)
 * - Mike Levy (SSA)
 * Monalee Vyas
 * Neelie Bajaj
 * Negendra Midde
 * Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * - Sandy Stuart (KP)
 * Sanjay
 * Scott Robertson
 * Seonho Kim
 * Sergei Haramundanis
 * Sourabh Pawar
 * Srinivasa Kukatla
 * - Shrikant Gajengi (SSA)
 * Seravina V
 * Steven Cason
 * Tom Davidson (SSA)
 * Wendy Laposata
 * - Eric Heflin (THSA)

Agenda:


 * 1) Review VA OID issues.
 * 2) Any blocking Test or RI team issues.
 * 3) Working session for the NwHIN CP document.
 * 4) Roundtable





**2012-01-06 T-con**
Agenda: > Roll – 1 min
 * Amram Ewoo (Deloitte)
 * Ann Clarke (LM)
 * Andrew Weniger
 * Benson Chang (Deloitte)
 * Bob Hall
 * Cbaba
 * - Chuck Hagen (Deloitte)
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris (LM)
 * Dave Arvin (SSA)
 * David Degroot
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * Didi Davis
 * Ed O'Connor
 * - Elicia Buchsbaum (Deloitte)
 * Gavin O'Brien
 * George Varghese
 * Gee Chia
 * James Rachin (ONC Test Team)
 * Jeff Tunkel
 * Jocelyn Dabeau
 * - Joe Lamy (Nitor Group)
 * Joan DuHaime
 * John Donnelly
 * - John Moehrke (GE)
 * Josh Abraham (SSA)
 * Judith Hutman (Mitre Group)
 * Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting (IBM)
 * Laure Tull
 * Larry Burris
 * Les Westberg
 * Marty Prahl
 * Mario Hyland
 * Mastan Ketha
 * Michael Nenashev
 * Michael talbot (VA)
 * - Mike Levy (SSA)
 * Monalee Vyas
 * Neelie Bajaj
 * Negendra Midde
 * Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * - Sandy Stuart (KP)
 * Sanjay
 * Scott Robertson
 * Seonho Kim
 * Sergei Haramundanis
 * Sourabh Pawar
 * Srinivasa Kukatla
 * - Shrikant Gajengi (SSA)
 * Seravina V
 * Steven Cason
 * Tom Davidson (SSA)
 * Wendy Laposata
 * - Eric Heflin (THSA)

Agenda:
 * Announcements
 * Reminder to review CP-SP-001-001
 * New NIST 800-63
 * Google issue tracker / FAQ updates
 * Test team artifacts review
 * Blocking issues
 * Goals for issuance of NwHIN Certificate Policy statement
 * New issue from the VA
 * Issuer Tec/Policy guidance (issue #170)
 * Guidance for Tec/policy certificate revocation latency issues (issue #171)
 *  SAML 2.0 issue #6 working session
 * Round table

_Announcements_
 * Review [[file:CP-SP-001-001.docx]]; any feedback so far? Are organizations on track?
 * New NIST 800-63NwHIN impact assessment?
 * Test team artifacts review

From Joe Lamy: - open review by end of Jan - The ONC Standards and Interoperability Framework Testing Team has posted a draft test artifact for review by the Security and Privacy Workgroup. This artifact consists of test cases, checklists and data, covering the latest (3.0) versions of the Messaging Platform and Authorization Framework specifications.

The artifact is posted to the Testing Team page on the Exchange Specifications wiki: http://exchange-specifications.wikispaces.com/Testing+Team. Questions and issues may be added to the discussion tab for that page. The Testing Team also plans to be available for discussing this artifact at upcoming workgroup calls - please see the agenda for details.


 * Google issue tracker / FAQ updates

_Blocking issues_ _Goals for issuance of NwHIN Certificate Policy statement_


 * __New Topic NwHIN Certificate Policy (CP)__**

Federal Bridge CP

Topic: Should the NwHIN have an official CP?

Previously decided that the NwHIN Exchange indeed needs to issue a Certification Policy. We also decided to first address higher level objectives such as the need to support multiple CAs, self-governance, and/or Direct/Exchange support.

Goals
 * Need transparency
 * Process for revocation
 * Need to enable self-governance
 * Need to allow for multiple trust anchors / vendors in the future
 * We are current addressing a number of this issues one at a time
 * May be more efficient to address these policy issues in a batch
 * Enable security interoperability between Exchange and Direct
 * Most consistent policy that is well thought out
 * Latency
 * Revocation

Talking points
 * As we move towards self-governance this may help us
 * The current CP is vendor-controlled
 * The lack of a CP published by the NwHIN prevents transparency
 * The Direct Project has issued a minimal CP

Outstanding issues:
 * How is the cert policy OID enforced? Is this a stack layer issuer? At the application layer? Are these used informatively only?
 * Example scenario: The same issuer issues both Direct and Exchange certs. How can we enforce the right policy? What if an organization seeks to support Exchange but not allow Direct cert?
 * Need to determine if security/policy vendors ACTUALLY SUPPORT use of OIDs and policy determination.
 * Note that singing vs. encryption uses may need to be handled differently.
 * At this point we believe that we should differentiate based on the trust anchor points instead of OID white/black lists based on our perception of broad vendor support.
 * What different types of certificates would need to be created?
 * Proxy/identity provider? WS-Federation/WS-Trust
 * Direct HISPs?
 * Direct or NwHIN Human end users?
 * Direct or NwHIN Organizations?
 * Machine?
 * CAs?
 * Preliminary decision: Direct interop is out of scope at this time. It's probably premature and it may not be needed.

__work stopped here today__

_New issue from the VA_

_Issuer Tec/Policy guidance (issue #170)_


 * Issue #170

Reviewed CP-SP-001-001: Need to have someone research the outstanding issue in the CP` for final objections prior to sending it to the entire NwHIN Exchange Spec Factory. Two changes were identified. 1) we added more background text explaning that the change was partially driven by the need for more testable specifications; and 2) we discussed the potential need to further constrain the spec in terms of the issuer element. Both of these issues were documented in the CP. We took a vote, and no objections were raised towards presenting it to the NwHIN Exchange Spec Factory to give them a one month period of time to submit comments or raise objections (until the first NwHIN Exchange Spec Factory meeting in 2012). If no objections have been raised by then, then CP-SP-001 will be presented to the NwHIN Policy/Technical committee for review.

What fields are required for x.509 v3? Anything? The  and the  are under consideration for Joe's name Joe suggest decoupling his cp-sp-001-001 and perhaps addressing this issue elsewhere

_Guidance for Tec/policy certificate revocation latency issues (issue #171)_

_ SAML 2.0 issue #6 working session_

_Round table_


 * __Issue #171__**

We discussed the below text today and decided that more clarity is needed, esp. in terms of common use of "validation". John M and Eric H are to create updated text via email for this group to consider next week.

Topic: x.509 Cert Revocation checking Goal: Create official guidance for the NwHIN Policy/Technical WG to consider and hopefully approve.

Background: Below are draft recommendations regarding cert revocation from this week's NwHIN Policy/Technical WG call.

X.509 Digital Certificate Revocation Policies


 * 1. Verification Frequency**

We will send the following text to the Sec and Priv WG for a 1 week review, and then the Spec Factory for a 1 month review prior to sending to the Policy/Technical Task Group.

Background for the NwHIN Policy/Technical Task Group: The process of validating a certificate is distinct from the process of checking for the revocation status of a certificate. The process of validating a certificate is an internal IT process that determines if a given certificate is within it's validity period, is issued under a trusted trust anchor, is signed properly, is intact, etc. The process of checking for the revoked status of a certificate involves using a trusted external source, such as CRL or and OCSP responder network to determine that a valid certificate has not be suspended or revoked. It is important to understand that a valid certificate can exist in revoked, suspended, or non-revoked status. Similarly a invalid certificate (such as one that has expired) will not be revoked in most cases. Thus is very important that implementors first check for the validity of a certificate before checking its revocation status. It is incorrect to check for the revocation status of a certification until that certificate's validity has been confirmed.

Recommendations:

a) Validation frequency checking: Implementations should check the validity of the reciprocal exchange partner's certificate each transaction.

b) Revocation frequency checking: Implementations should check the revocation status of the reciprocal exchange partner's certificate each transaction.

Issue: The messaging platform specification requires that either a CRL or OCSP be used to check whether a certificate is still valid. The specification does not address how often an Exchange Participant should verify whether a certificate has been revoked.

Recommendation: The messaging platform specification should be revised to reflect the following:

A Participant shall verify certificate validity each time a transaction is established.

Impact: This approach assures that participants verify certificate validity before exchanging data. The benefit of verifying certificate status outweighs potential performance issues.