Security+and+Privacy+Workgroup+Meetings+Q1+2011

toc

2011-03-25 T-con
Agenda: > Roll – 1 min
 * - Amram Ewoo
 * Andrew Weniger
 * Benson Chang
 * Bob Hall
 * - Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * - David Morris
 * Dave Arvin
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * - John Moehrke
 * Josh Abraham
 * Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting
 * Laure Tull
 * - Larry Burris
 * Les Westberg
 * Marty Prahl
 * Mastan Ketha
 * Michael Nenashev
 * Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * Sergei Haramundanis
 * Seravina V
 * Steven Cason
 * Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Agenda: > RI team blocking issues (if any) > TT blocking issues (if any) > Triage outstanding issues from issue tracker > New issues > Roundtable

Meeting notes:

Eric brought up the issue of how we get approval from the NwHIN exchange, for the SAML  attribute issue, We are going to distribute the below text (in the meeting notes from last week's meeting) via email to the NwHIN exchange "all hands" email list and then mention it in at least two weekly all hands calls, seeking objections or changes. If none are raised, then the text will move forward.

Closed issue #46. See the discussion page for details. In summary, the RI team was seeking a better prefix for name spaces such as S12 vs. SOAP12. We indicated that these conventions were inherited from some base standards and specs such as from W3C.

The majority of today's call was devoted to a working session dealing with the SAML  attribute. We directly edited the text (in the meeting notes for the call on the 18th) as can be seen below. It now will be sent out for a "vote".

The below text is being mailed to the full spec factory:

Issue #1 For issue number 1 in the issue tracker, as discussed http://exchange-specifications.wikispaces.com/message/view/Spec+Factory+FAQ/32692914 and documented http://exchange-specifications.wikispaces.com/Auth.+Framework-+Incorrect+Issuer, the Security and Privacy Workgroup is proposing the following changes to the Authorization Framework section 3.3. Old Text: 4. The  element shall identify the individual responsible for issuing the Assertions carried in the message. This element includes a NameID Format attribute which declares the format used to express the value contained in this element. This is normally the system security officer for the sending NHIO. SAML 2.0 NameID Formats are provided in Table 2 of this specification. Proposed New Text: 4. Normative: The  element is not constrained by this specification; it is only constrained by the underlying OASIS SAML 2.0 core specification (Assertions and Protocols for Security Assertion Markup Language (SAML) V2.0), referenced elsewhere in this document. As per SAML, the  MUST specify the SAML authority that is making the claim(s) in the assertion. The issuer SHOULD be unambiguous to the intended relying parties. Non-normative: The Nationwide Health Information Network, as of the time this text was written, has issued no policy constraining the  element. In the absence of policy to the contrary, and based on historical evidence, implementers should use a name NameIDType Format of "x.509 Subject Name" type as specified in 8.3.3 of the OASIS SAML 2.0 core specification. Use of "8.3.1 Unspecified" as a NameIDType Format is not recommended. < > Proposed next steps: If the Spec Factory has no objections with the above proposed changes, we plan to confirm their correctness with the with the NIST and S&I framework test teams, and then post them to the spec changes page on this wiki. Also, I've confirmed that CONNECT 2.4.8 emits the following text (kindly provided from the Wright State log files, and cosmetically reformatted):   CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US  For the testing team, who brought forth this issue, our guidance is to automate testing to validate that the  element is as per section 8.3 SAML core spec. By not further constraining the  element at this time, this effectively severely limits automatic validation of this or the use of this field. The test team should inspect this value to ensure it is a syntactically valid element as per the SAML Format value. It should not be the default value of "CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US", and it should be a value obviously associated unambiguously with a sending system's identity provider. It also should not be empty. As an addition optional test, we suggest that the test team manually review the  value for "reasonableness"; it should, for example, not have a value of "test". Outstanding issue: What is this element used for by the receiver? Is it automatically used for validation? Or is it just for logging purposes? We feel it is not being used at this time for any type of validation, just for logging. The general IHE approach is that one primary purpose of SAML assertions today, including the  element, is to have a higher fidelity log file; not to necessarily enable programmatic use of all SAML elements (yet). Idea: Have the TT or other onboarding team issue a statement that a test value may be used for testing purposes, but that the Production  must be a valid identifier as per 8.3 in the SAML spec.



2011-03-18 T-con
Agenda: > Roll – 1 min
 * Amram Ewoo
 * Andrew Weniger
 * Benson Chang
 * - Bob Hall
 * Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * - David Morris
 * Dave Arvin
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * - John Moehrke
 * Josh Abraham
 * Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * Mastan Ketha
 * Michael Nenashev
 * - Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * - Sergei Haramundanis
 * Seravina V
 * Steven Cason
 * Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Agenda: > RI team blocking issues (if any) > TT blocking issues (if any) > Triage outstanding issues from issue tracker > New issues >> DSig for esMD > Roundtable

Meeting notes:


 * Issue Disposition**

RI team issue number 46 will be likely blocking the RI team.

__Issue #1__

For issue number 1 in the issue tracker, as discussed http://exchange-specifications.wikispaces.com/message/view/Spec+Factory+FAQ/32692914 and documented http://exchange-specifications.wikispaces.com/Auth.+Framework-+Incorrect+Issuer, I'm proposing the following changes to the Authorization Framework section 3.3 from:

code 4. The  element shall identify the individual responsible for issuing the Assertions carried in the message. This element includes a NameID Format attribute which declares the format used to express the value contained in this element. This is normally the system security officer for the sending NHIO. SAML 2.0 NameID Formats are provided in Table 2 of this specification. code

To:

code 4. Normative: The  element is not constrained by this specification; it is only constrained by the underlying OASIS SAML 2.0 core specification (Assertions and Protocols for Security Assertion Markup Language (SAML) V2.0), referenced elsewhere in this document. As per SAML, the <Issuer> MUST specify the SAML authority that is making the claim(s) in the assertion. The issuer SHOULD be unambiguous to the intended relying parties. code

Non-normative: The Nationwide Health Information Network, as of the time this text was written, has issued no policy constraining the <Issuer> element. In the absence of policy to the contrary, and based on historical evidence, implementers should use a name NameIDType Format of "x.509 Subject Name" type as specified in 8.3.3 of the OASIS SAML 2.0 core specification. Use of "8.3.1 Unspecified" as a NameIDType Format is not recomended.

< >

Proposed next steps: If the Sec and Priv WG is comfortable with the above changes, I plan to confirm them with the NIST and S&I framework test teams, and then post them to the spec changes page on this wiki.

Also, I've confirmed that CONNECT 2.4.8 emits the following text (kindly provided from the Wright State log files, and cosmetically reformatted):

code format="xml" <saml2:Assertion ID="q47df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0">  CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US </saml2:Issuer> code

For the testing team, who brought forth this issue, our guidance is to automate testing to validate that the <Issuer> element is as per section 8.3 SAML core spec. By not further constraining the <Issuer> element at this time, this effectively severely limits automatic validation of this or the use of this field. The test team should inspect this value to ensure it is a syntactically valid element as per the SAML Format value. It should not be the default value of "CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US", and it should be a value obviously associated unambiguously with a sending system's identity provider. It also should not be empty. As an addition optional test, we suggest that the test team manually review the <Issuer> value for "reasonableness"; it should, for example, not have a value of "test".

Outstanding issue: What is this element used for by the receiver? Is it automatically used for validation? Or is it just for logging purposes? We feel it is not being used at this time for any type of validation, just for logging.

Idea: Have the TT or other onboarding team issue a statement that a test value may be used for testing purposes, but that the <Issuer> must be a valid identifier as per 8.3 in the SAML spec.

IHE approach is that one primary purpose of SAML assertions today is to have a higher fidelity log file.

__Issue #2__

A new issue is in our pipeline, using some type of digital signature to attest to some action such as a provider attesting to the accuracy of a document, or that a provider has reviewed a document, etc. John M has identified a number of issues, in the entire system needed to support this functionality (training of end-users, developmental costs for EMRs to add this functionality, PKI costs, certificate issuance, work-flow, social costs and aspects of a digital sig vs. a wet signature, how long should the certificate revocation information be maintained (100 years or more), consistent time, identity proofing, and more). One interesting idea is the use of a "signature service" such as created by the USPS.

Another approach is to suggest that our current infrastructure, with audit logs and procedures, is sufficient to meet CMS requirements.

Perhaps suggest two approaches with the tradeoffs and then like the CMS chose the approach.

DEA esig for schedule II medication infrastructure may be leveraged perhaps. John's blog: http://healthcaresecprivacy.blogspot.com/2010/11/signing-cda-documents.html has a relevant entry.



2011-03-11 T-con
Agenda: > Roll – 1 min
 * Amram Ewoo
 * Andrew Weniger
 * - Benson Chang
 * Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris
 * Dave Arvin
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * John Moehrke
 * Josh Abraham
 * - Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * Mastan Ketha
 * Michael Nenashev
 * - Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * - Richard Thoreson
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * Sergei Haramundanis
 * Seravina V
 * Steven Cason
 * - Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Agenda: > RI team blocking issues (if any) > TT blocking issues (if any) > Any new issues > Triage outstanding issues from issue tracker > Roundtable

Meeting notes: At 7 after the hour the meeting was canceled due to lack of quorum. (Only 4 people were in attendance at that time.)



2011-03-07 T-con
Agenda: > Roll – 1 min
 * - Amram Ewoo
 * Andrew Weniger
 * - Benson Chang
 * - Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * - David Morris
 * - Dave Arvin
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * John Moehrke
 * Josh Abraham
 * Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * - Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * Mastan Ketha
 * Michael Nenashev
 * Monalee Vyas
 * Neelie Bajaj
 * - Nick Vennaro
 * Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * Sandy Stuart
 * - Scott Robertson
 * Seonho Kim
 * Sergei Haramundanis
 * Seravina V
 * Steven Cason
 * Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Agenda: > Review v4 of the package > Q&A to Deloitte > Roundtable

Held a review of the v4 package. Held a working session to fix identified issues on-the-fly (mostly editorial). New v5 is posted to the Wiki. Added a new "project" taxonomy. Decided to move forward with current package, as posted on this Wiki. We plan to show the package this week on the all-hands call to ensure everyone is on-board.



2011-03-04 T-con
Agenda: > Roll – 1 min
 * - Amram Ewoo
 * Andrew Weniger
 * - Benson Chang
 * - Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * - David Morris
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * John Moehrke
 * - Josh Abraham
 * - Kanwarpreet Sethi
 * Ken Salyards
 * Kiran
 * Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * - Mastan Ketha
 * Michael Nenashev
 * Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * - Richard Ettema
 * Randy Sermons
 * Richard Thoreson
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * - Sergei Haramundanis
 * Seravina V
 * Steven Cason
 * Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Agenda: > Announcements > New Aegis team SAML versions issues > Blocking RI team issues > Blocking TT issues > Final disposition of issues list items 1, 2, 5, and 39 > Roundtable

New version team is forming, meeting next Wed. All are welcome to join.

The SAML elements appear to be issued in the wrong order. 1) Documented elsewhere (insert link). 2) Aegis suspects this may be a breaking change. Need to confirm. KP in particular may be affected. 3) When do we roll this out? What is the impact to all? Need to ensure the entire spec factor has the chance to assess the impact to their implementation.

Possible solution path: 1) correct the examples in the AF spec. 2) make it clear to the community that non-normative text is not authoritative. 3) ask the NwHIN community for impact assessment. 4) fix CONNECT and release. CONNECT will test this ordering fix as the RG to assess if this breaks CONNECT 5) put this issue in a package release note for the Q1 2011!

Aegis has researched the issue (Jira ticket 322) whereby which PurpseForUse is used vs. PurposeOfuse. On the inbound side: It appears that CONNECT successfully parses both version of this, since they are intended for use by customized versions of CONNECT. The default CONNECT install ignores these values for all current shipping versions. On the outbound side, CONNECT will in the next release, be configurable to use zero, one, the other, or both elements. The default, if a properly is not overridden, is to use PurposeOfUse (which is correct). NEED TO DOCUMENT.

A related issue is that the type of the attribute is not being declared. Tom D will resh this issue.



2011-02-28 T-con
Agenda: > Roll – 1 min
 * - Amram Ewoo
 * Andrew Weniger
 * Benson Chang
 * - Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * - David Morris
 * - David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * John Moehrke
 * - Kanwarpreet Sethi
 * - Ken Salyards
 * Kiran
 * Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * Michael Nenashev
 * Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Randy Sermons
 * Richard Thoreson
 * - Sandy Stuart
 * - Scott Robertson
 * Seonho Kim
 * Sergei Haramundanis
 * Seravina V
 * Steven Cason
 * Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Goal: Finalize the Q1 2011 package definition

Agenda: Recap prior feedback from Dr. Fridsma Act on actionable items

Meeting minutes Amram will send a version of the delta between the 2010 production spec and the Q1 2011 package will be send to the spec factory to provide transparency and give all a change to provide feedback (approval, objections, etc.).

This package will be the official 2011 Q1 Production Specifications release.

Eric will update the table of contents to remove unused leaf nodes, and mark currently unused nodes with a "- TBD" to indicate that we anticipating using them in the future. A new v4 release will be posted today.

Models will be included, and clearly marked as DRAFT, NON-NORMATIVE.



2011-02-25 T-con
Agenda: > Roll – 1 min
 * - Amram Ewoo
 * Andrew Weniger
 * - Benson Chang
 * - Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * John Moehrke
 * Kanwarpreet Sethi
 * Kiran
 * Karen Witting
 * - Laure Tull
 * Les Westberg
 * Marty Prahl
 * Michael Nenashev
 * - Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Randy Sermons
 * - Richard Thoreson
 * Sandy Stuart
 * - Scott Robertson
 * Seonho Kim
 * - Sergei Haramundanis
 * Seravina V
 * Steven Cason
 * - Tom Davidson
 * Wendy Laposata
 * Eric Heflin

Agenda: Announcements – Benson > ONC stated clearly that the Nationwide Health Information Network Exchange and the Direct Project > ONC booth well attended > NTC meeting on Monday > Coordinating Committee meeting today > Next meeting NTC Mar 28th, CC Mar 25th > The snapshot of documents approved as of early next week will go into the 2011 Q1 package > The packing wg needs to re-convene to finish the work for the Q1 package > Benson will announce a new meeting next Monday Recap of our HIMSS discussion – Tom > Met this week in person at HIMSS (small group) > Notes posted to this Wiki > Karen pointed out that the current Web Services spec list versioning info >> Is this being used by anyone? > Tom reviewed the document in detail > Using PurposeOfUse vs. PurposeForUse to force this issue to be addressed > The profile may, for example, including the version of the SAML header RI blocking issues – RI team TT blocking issues - TT CONNECT PurposeForUse implementation guidance for Aegis Review of items in Google docs – Eric Rouundtable



2011-01-28 T-con
Proposed Agenda: > Roll – 1 min
 * - Amram Ewoo
 * Andrew Weniger
 * - Benson Chang
 * Chuck Hagen
 * Charles Ndunda
 * - Dan Vigano
 * Dave Colbert
 * David Colins
 * - David Morris
 * David Roberts
 * Deborah Harris
 * - Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * - John Moehrke
 * - Kanwarpreet Sethi
 * Kiran
 * Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * Michael Nenashev
 * - Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Randy Sermons
 * Richard Thoreson
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * Seravina V
 * Steven Cason
 * - Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Agenda: > 1) Quick update on the NTC discussion for our specs. They included our updated PurposeForUse vs. PurposeOfUse warning text. Should be published in the HHS web site in about 6 weeks. The group discussed using this issue as a "lightening rod" to facility a larger issue of version upgrades and NHIN cording committee. We suggested that the RI team implement both on the receiving side and make it a configuration option to send one or the other. Outsanding issue: we need to establish a support and sunset date. Is this a use case for the support of end point capabilities? Such as end-point responding vs. initiating.
 * 1) NTC Authorization Framework spec discussion
 * 2) S&I Framework Testing Team new issues
 * 3) S&I Framework RI team new issues
 * 4) TLS feedback discussion
 * 5) Discuss John's suggestion from last week (using OID to provide evidence doc ref)
 * 6) Roundtable

2-3) Any RI and TT Review backlog.

The RI team has discovered an apparent contradiction in the AF 2010 production spec. The subject-id in 3.3.2.1 is different than. This topic needs more research. The base specs (XSPA and XACML) appear to have contradictions. This is likely a breaking change.

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id"> <saml:AttributeValue>Walter H.Brattain IV</saml:AttributeValue> </saml:Attribute>

3.3.2.9 Attribute Statement Example <saml:AttributeStatement> <saml:Attribute Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> <saml:AttributeValue>Dr Joe Smith</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization"> <saml:AttributeValue>Best Clinic</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"> <saml:AttributeValue>urn:oid: 2.16.840.1.113883.3.18.101</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:nhin:names:saml:homeCommunityId"> <saml:AttributeValue>

New issue: The RI team has found an issue whereby which the WSDL is not well formed and inconsistent. Suggestion was made to pull the current CONNECT implementation as a pragmatic starting point. We need to include WSDLs with the NHIN 2010 production specs.

http://exchange-specifications.wikispaces.com/message/view/Spec+Factory+FAQ/33130480

4) TLS draft text. (The current draft text is at: TLS Encryption Clarification). a) Suggestion to add a specific TLS version and crypto family. Possibly for testing purposes. b) Question from several people regarding requirement to use FIPS if they are not exchanging with federal entities.

5) Discuss next steps in using an attribute for policy identification. We will discuss this on our next Sec and Priv WG call. We'll discuss in a few weeks and make a commendation once we have consensus at our level.

6) Other topics.



2011-01-28 T-con
Agenda: > Roll – 1 min
 * - Amram Ewoo
 * Andrew Weniger
 * - Benson Chang
 * - Chuck Hagen
 * Charles Ndunda
 * - Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * John Moehrke
 * Kanwarpreet Sethi
 * Kiran
 * Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * - Michael Nenashev
 * - Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * - Randy Sermons
 * Richard Thoreson
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * Seravina V
 * Steven Cason
 * - Tom Davidson
 * Wendy Laposata
 * - Eric Heflin

Agenda: >> Didn't consider currently situation; spec is correct in normative section but all implementations are incorrect >
 * 1) TLS feedback discussion
 * 2) S&I Framework Testing Team new issues
 * 3) S&I Framework RI team new issues
 * 4) Discuss John's suggestion from last week (using OID to provide evidence doc ref)
 * 5) Working session to draft SAML OASIS spec text - postponed
 * 6) Review Coordinating Committee change management process they approved yesterday w/o public comment
 * 1) Roundtable

1) The TLS text received some feedback that needs to be discussed and addressed. a) Suggestion to add a specific TLS version. Possibly for testing purposes. b) Question from several people regarding requirement to use FIPS if they are not exchanging with federal entities. The current draft text is at: TLS Encryption Clarification. On the call today I'd like to consider both of these issues and resolve them, and draft next text (if needed) to sufficiently address these issues.

2-3) RI and TT Review backlog.

4) Discuss idea of using an attribute for policy identification. See the sample below of purposeofuse attribute. I believe what is being proposed is to use a similar structure for expressing the policy associated with a decision.

code format="xml" <saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"> <saml:AttributeValue> <xua:PurposeOfUse xmlns:xua=”urn:ihe:iti:xua:2010” xmlns:hl7v3="urn:hl7-org:v3" xsi:type="hl7v3:CE" code="12" codeSystem="1.0.14265.1" codeSystemName="ISO 14265 Classification of Purposes for processing personal health information" displayName="Law Enforcement"/> </saml:AttributeValue> </saml:Attribute> code



2011-01-21 T-con
Agenda: > Roll – 1 min Topics: > CONNECT team > Used this timeslot to discuss S&I Framework Testing Team new issues > SAML OASIS SSTC > Updates/questions about the SAML TC/RI workgroup > Benson newbie session update > Roundtable
 * - Amram Ewoo
 * - Andrew Weniger
 * - Benson Chang
 * - Chuck Hagen
 * Charles Ndunda
 * Dan Vigano
 * - Dave Colbert
 * David Colins
 * - David Morris
 * David Roberts
 * Deborah Harris
 * Deborah Lafky
 * George Varghese
 * Gee Chia
 * - Jeff Tunkel
 * - Joe Lamy
 * John Donnelly
 * - John Moehrke
 * - Kanwarpreet Sethi
 * Kiran
 * Karen Witting
 * - Laure Tull
 * Les Westberg
 * Marty Prahl
 * - Michael Nenashev
 * Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Richard Thoreson
 * - Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * Seravina V
 * Steven Cason
 * Tom Davidson
 * - Wendy Laposata
 * - Eric Heflin

John M: IHE alternative, have the same functionality, but not using the embedded SAML assertion, by using the privacy OID as an attribute of the context. Similar to using a different evidence method would be via a policy OID or privacy OID. May become an IHE Change Proposal. Next step: Create draft text for circulation to NHINE participants for initial feedback. John M will send the draft and/or final CP text when available. Would apply to XUA++ profile. Question: Is their a use case for the NHINE for an embedded SAML assertion?

EJH action item: write new SAML OASIS core 2 spec draft text.

Benson: The "newbie call" is being posted to various ONC list serves and is expected to be well attended. Tom D will facility (lead) the call. Benson's team will capture detailed notes. Call will be 3-4 Eastern the 26th.

Joe L The testing team has some new issues. Mario's team is looking for some SAML issue guidance. Seeking status update on the exchange governance policy on updates and esp. breaking changes. This topic is on the NTC next call. The last policy and technical task group discussed this; but the discussion is not complete. Joe suggests we issue a statement of what we consider acceptable. We also discussed that we issue a initial draft migration strategy document to start the discussion. Perhaps an addendum in the documentation set. John M agrees on a transition strategy approach such as stating that relying parties should look at both for now for a period of time (e.g. PurposeOfUse vs. PurposeForUse). As a cross-check we'll vet our proposed policy against existing know issues facing us. Decision: We agreed to have the spec factor all hands group to form a new (short-lived) subcommittee to draft this text.



2011-01-10 T-con
Proposed Agenda: > Roll – 1 min Topics: > Announcement no meeting this Friday > Used this timeslot to discuss S&I Framework Testing Team new issues > SAML OASIS SSTC > Updates/questions about the SAML TC/RI workgroup > Two new questions from the Testing Team >> Transforms >> X.509 token profile > Roundtable
 * Amram Ewoo
 * - Benson Chang
 * - Chuck Hagen
 * - Charles Ndunda
 * Dan Vigano
 * - Dave Colbert
 * David Colins
 * - David Morris
 * - David Roberts
 * Deborah Harris
 * Deborah L
 * - George Varghese
 * Gee Chia
 * Jeff Tunkel
 * - Joe Lamy
 * John Donnelly
 * John Moehrke
 * - Kanwarpreet Sethi
 * - Kiran
 * Karen Witting
 * Laure Tull
 * Les Westberg
 * Marty Prahl
 * Michael Nenashev
 * - Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * - Richard Thoreson
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * - Seravina V
 * Steven Cason
 * Tom Davidson
 * Wendy Laposata
 * - Eric Heflin



2011-01-07 T-con
Agenda: > Roll – 1 min > Review new NIEM package > Working session to construct new version 3 > Publish v3 to the Wiki > Determine next steps > Broken Wiki links > Round table > Any new topics? > Recap plan for next week – 1 min
 * - Amram Ewoo
 * - Benson Chang
 * Chuck Hagen
 * Dan Vigano
 * Dave Colbert
 * David Colins
 * David Morris
 * David Roberts
 * Deborah Harris
 * - Deborah L
 * George Varghese
 * Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * John Donnelly
 * - John Moehrke
 * - Kanwarpreet Sethi
 * Karen Witting
 * - Laure Tull
 * Les Westberg
 * Marty Prahl
 * - Michael Nenashev
 * Monalee Vyas
 * Neelie Bajaj
 * Nick Vennaro
 * Sandy Stuart
 * Scott Robertson
 * Seonho Kim
 * Steven Cason
 * Tom Davidson
 * Wendy Laposata
 * - Eric Heflin



2011-01-03 T-con
Agenda: > Roll – 1 min > Review new NIEM package > Working session to construct new version 3 > Publish v3 to the Wiki > Determine next steps > Broken Wiki links > Round table > Any new topics? > Recap plan for next week – 1 min
 * - Amram Ewoo
 * - Benson Chang
 * Chuck Hagen
 * - Dan Vigano
 * - Dave Colbert
 * David Colins
 * David Morris
 * David Roberts
 * Deborah Harris
 * George Varghese
 * - Gee Chia
 * Jeff Tunkel
 * Joe Lamy
 * - John Donnelly
 * - John Moehrke
 * Kanwarpreet Sethi
 * Karen Witting
 * Laure Tull
 * - Les Westberg
 * Marty Prahl
 * Michael Nenashev
 * - Monalee Vyas
 * Neelie Bajaj
 * - Nick Vennaro
 * - Sandy Stuart
 * - Scott Robertson
 * - Seonho Kim
 * Steven Cason
 * Tom Davidson
 * - Wendy Laposata
 * - Eric Heflin

Meeting notes:

What license should be used for the NIEM package? BSD? BSD-like (such as the one adopted by CONNECT)?

Put testing guidance in the Excel spreadsheet documenting each attribute in the specifications.

Decided that version v3 of the package was ready for broader feedback. Next step: Take the the NHIN Exchange Spec Factory All Hands call to present the current package and get feedback. Then, pending on the results, the next step is probably to set up an demo with the ONC (Dr. Fridsma?) for more feedback.