Certificate+Discovery+of+Directed+Exchange+SWG+Meeting+Minutes+2011-06-20


 * Meeting Date:** 06/20/2011
 * Meeting Title**: PD Certificate Discovery for Directed Exchange SWG Meeting Session 2

**Agenda/Objectives:**

 * **Topic** || **Time Allotted** ||
 * Parking Lot Items on Use Case || 40 minutes ||
 * Consensus Process and Timeline || 15 minutes ||
 * Harmonization Work || 25 minutes ||
 * Sprint Team Logistics || 5 minutes ||
 * Next steps || 5 minutes ||

**Attendees:**
__Workgroup Attendees:__ John Williams, Lin Wan, Scott Chapin, Ken Pool, Noam Arzt, Sri Koka, Karen Witting, Peter Bachman, Robert Dieterle, Odysseas Pentakalos, David Tao, Erik Pupo, Joni Bass, Smriti Singal, Myung Choi, Bill Pankey, Rao Parvatam, Vincent Lewis, Ananya Gupta __Panelist Attendees:__ Victoria Njoku, Virginia Riehl, Jonathan Tadese Action Items:
 * **Date** || **Description** || **Status** || **Notes** ||
 * 6/21/11 || Review final Query for Digital Certificate Use Case once posted and cast vote if a Committed Member || OPEN || Refer to Use Case and Consensus Wiki pages ||
 * 6/21/11 || Complete homework specified for harmonization standards analysis work || OPEN || Refer to SWG Wiki page ||
 * 6/20/11 || Update Consensus Page to reflect all Committed Members who submitted Statements of Commitment || OPEN || Refer to Consensus Wiki page ||
 * 6/20/11 || Ensure harmonization work includes a risk analysis to assess risks introduced as a result of the solution chosen for this Use Case. || OPEN ||  ||

**Parking Lot Items on Use Case**

 * Key Discussion Points:**
 * Specific policy issues for this Use Case:
 * Maintenance and certification of Certificate Directories are policy issues
 * A number of privacy and security issues mostly likely exist for the solution(s) chosen for this Use Case, but it is not necessary to list them specifically within the Use Case itself. Instead, the Use Case should indicate that a risk analysis will need to be conducted as part of the harmonization process.
 * Specific regulatory issues for this Use Case:
 * The ability to satisfy or meet the certificate policies under the Federal Public Key Infrastructure (PKI) may be a regulatory issue was not considered a specific regulatory issue for this Use Case
 * Requirement to have a secure non-repudiation connection between the sending system and the Certificate Directory to ensure that the certificate cannot be “spoofed”:
 * The implication is that the sender believes a valid message has been sent and the destination is unable to decrypt it
 * This issue is critical but should be deferred to the Harmonization stage.
 * During the harmonization process, there should be a list of issues to address, some of which are listed in the Issues and Obstacles section of the Use Case
 * Certificate contents: The information that will be included in the certificate is not addressed in the Use Case and considered. The certificate is a public certificate and providers need to be informed about what not to put into the certificate.
 * There is a need to ensure that the destination gets the certificate across to the sender
 * Getting the certificate from the destination to the sender should be made a post-condition or the Activity diagram should be changed to reflect that the receiving party could also query the Certificate Directory to retrieve the certificate for the sender
 * It is conditional to have to do a second query
 * The sender or recipient could access the Certificate Directory


 * Resolution(s):**
 * Both the maintenance and certification of Certification of Certificate Directories were retained as policy issues
 * The phrase, “A risk analysis will need to be done to assess risks introduced as a result of the solution chosen for this Use Case” was included to indicate that there may be privacy and security issues resulting from the solution chosen for this Use Case.
 * There were no regulatory issues specified for this use case
 * The word “Destination” was excluded from the Activity Diagram to indicate that both the sender or recipient could query the Certificate Directory for the digital certificate.

**Consensus Process and Timeline**

 * Key Discussion Points:**
 * Given the completion of the Use Case, consensus will begin on Tuesday 6/21 until Thursday June 30 COB. All comments received by Thursday, so 6/23 and that are unresolved, will be reviewed during the Friday Sprint Team meeting. Committed Members are urged to cast their vote early and provide any actionable feedback to support a “No” vote.
 * Few organizations have more than one Committed Member. As per voting rules, only one vote will be counted per organization.
 * The full list of Committed Members will be reflected on the Consensus Page


 * Resolution(s):**
 * Any participant who submitted a Statement of Commitment but is not included on the Consensus Page should send the Support Leads an email regarding this issue with a copy of the Statement of Committed submitted previously.

**Harmonization Work**

 * Key Discussion Points:**
 * High Level Criteria:
 * Suitability: Does the standard meet the use case business and technical requirements
 * Compatibility: Is there an appropriate migration path from this standard to another standard (does this standard restrict technical choices in the future? Put another way: Can this standard be integrated with other standards to build the solution desire
 * Regulatory Impact: Are there jurisdictional and regulatory impacts in using this standard?
 * Data Element Usage: Does the standard support all the data elements proposed in the use case (full, comprehensive support)?
 * Maturity: How widely is the standard used in the context of the use case requirements?
 * Detailed Criteria:
 * Availability: Is the standard easily available and able to be used/implemented without barriers?
 * Technology Architecture and Vendor Neutrality: Is there an undesired bias toward a given technology architecture or toward the platform of a particular vendor?
 * Expected Total Costs of Implementation: What are the expected total costs of implementation across the industry, disruption of current processes due to conversion, coordination and communication costs born by implementers or the lost revenue of current solutions in place that will no longer be useful
 * Conformance Criteria: Does the standard have standard conformance language to enable testing?
 * Pilot Recommendations: Are there existing pilots using the standard that are aligned to the use case requirements?
 * Initial Considerations:
 * Review Direct Project Recommendations on Provider Directories
 * Populate Standard Criteria Table (starting Tuesday)
 * Resolution(s):**
 * The harmonization work should include a risk analysis of the Privacy and Security issues as discussed earlier in the Use Case

**Sprint Team Logistics**

 * Key Discussion Points:**
 * Recurring SWG Meetings occur every Monday 2:30-4:00PM ET. Next week’s meeting will be focused on continuing the harmonization work in progress
 * Next Sprint Team Meeting scheduled for June 24, 2011 3:00-5:00PM ET. The team will address any unresolved comments received during the consensus process. Harmonization work on digital certificate discovery will also continue.
 * Presentation on Australia’s Human Services Directory (by Max Walker) June 23rd, 4:00 – 5:00PM E.T.


 * Resolutions:**
 * None.