PD+-+Sprint+Team+Meeting+Minutes+2011-07-08


 * Meeting Date**: 07/08/2011
 * Meeting Title:** PD Sprint Team Meeting Session 6

Agenda/Objectives:

 * **Topic** || **Time Allotted** ||
 * Query for Digital Certificate Use Case for Direct Project || 115 minutes ||
 * Sprint Team Logistics / Next Steps and Questions || 5 minutes ||

Attendees:
__Workgroup Attendees:__ Jaime Estrada, Jitin Asnaani, lori fourquet, Scott Chapin, McLain Causey, Lester Keepper, Robert Dieterle, Jim Logan, Al Manint, Craig Klassy, van nguyen, Francis Chan, Steve Rushing, Tynisha Carter, Thompson Boyd, Peter Bachman, Bob Kaye, Sri Koka, Joni Bass, Ed Larsen, Aleena Dhar, Ron Sawdey, Dave Marotz, Marcus Clayton, Erin Cornell, david tao, Jas Singh, jeff ice, Andriy Selivonenko, Ryan Balsick, Ernest Grove, Joy Styrcula, Odysseas Pentakalos, Daniel Chaput, Erik Pupo, Donna Jones, Karen Witting, Steve Tripp, Vincent Lewis, lin wan, Emily Mitchell, Rao Parvatam, Terri Skalabrin, Saswata Ghose, JOHN MOEHRKE, Michael Nelson, Debra Rouse

__Panelist Attendees:__ Virginia Riehl and Victoria Njoku

Action Items:

 * **Date** || **Description** || **Status** || **Notes** ||
 * 7/8/2011 || Review and provide comments on next sections to be completed for Query for Digital Certificate Use Case for Direct Project || OPEN || Sprint Team Members ||
 * 7/8/2011 || Share link to the risk assessment conducted under the Direct Project || CLOSED || John Moehrke ||
 * 7/8/2011 || Review the risk assessment documentation and be prepared to revise the Issues, Obstacles, and Risks section of the Use Case during Monday’s SWG call. || OPEN || SWG Members ||
 * 7/8/2011 || Review and provide additional comments on Query for Electronic Address Use Case || OPEN || Committed Members ||
 * 7/8/2011 || Review posted Meeting Minutes for Sprint Team and SWG meetings and provide any corrections || OPEN || Sprint Team Members ||

__Query for Digital Certificate Use Case for Direct Project:__

 * Key Discussion Points:**
 * The discussion for the Use Case Assumptions sections focused on the following:
 * Assumption regarding if the Certificate Directory has a pointer to where the certificate is located and can be retrieved from. This assumption was not appropriate for the Use Case and thus deleted
 * The assumption and sub-level assumptions under “In keeping with relying party agreement, legal and governance issues regarding data access authorizations, data ownership, and data use are in effect.” appeared to be too detailed, somewhat unclear, and not exhaustive around PKI best practices and policies. These assumptions were further amended
 * The assumption indicating that a CA must have approved trust framework seemed repetitious as a previous assumption stated and was removed.
 * The concept of returning certificates for Direct vs. for a given Direct Address appeared similar. The suggestion was to maintain only one reference to this assumption.
 * The method of using the certificate is noted as a post condition
 * Additional clarity was provided to indicate that the scope of the Use Case was only for the Direct Project.
 * In regards to the Pre Conditions section:
 * Suggestions from John Moehrke to add two statements i.e. 1) Certificate Authority trust relationships have been established; and 2) Certificates have been issued and placed in Certificate Directory were accepted.
 * The phrase “using Direct” was included to emphasize the mechanism through which the digital certificate requester wants to use to send information electronically to the destination.
 * The discussion for the Post Conditions section focused on the following:
 * The concept of Certificate Validation was discussed and included to emphasize that the requester system performs validation on the digital certificate returned by the Certificate Directory
 * Given that the “post processing” or use of the certificate is out of scope, it was noted that the requester system would select the correct certificate for the “intended use” when multiple certificates are returned
 * Inclusion of a statement that the Certificate Directory “may return zero, one, or more than one certificates” was considered
 * No changes were made to the Actors and Roles section as well as the Use Case and Context diagram section
 * For the entire Use Case, a need was raised to clearly specify when using Direct Address, Direct (as the protocol), or the Direct Project
 * The discussion for the scenario section focused on the following:
 * There appeared to be no need to specifically relate the User Story to a “Push” transaction and this was eliminated.
 * Within the Triggers, specifying that the transaction was a Direct transaction was discussed and noted
 * The idea of cashing certificates was discussed and a clarification was provided indicating that if one already cashed a certificate, then there will be no need to query for the certificate and the Use Case will not be applicable
 * Under the Issues, Obstacles, and Potential Risks section, the following were discussed:
 * The need to highlight issues related to the misuse of certificates. It was noted that this concept has already been addressed within the Direct Project and referred to as principles
 * A clarification was shared that the group’s focus is to define the various risks, issues, and obstacles relevant to the Use Case and not all risks that may have been addressed within the Direct Project
 * Given that the Direct Project has conducted a risk assessment, the group was asked to review it and afterwards, identify from the existing list of issues, obstacles, and risks, what was relevant to keep within the Use Case
 * Resolution(s):**
 * Revisions to Use Case Assumption section are as follows:
 * Assumption regarding if the Certificate Directory has a pointer to where the certificate is located was deleted
 * The assumption and sub-level assumptions under “In keeping with relying party agreement, legal and governance issues regarding data access authorizations, data ownership, and data use are in effect” was re-worded to “A relying party agreement, legal and governance policy regarding data access authorizations, data ownership, and data and certificate use is in effect”
 * The assumption indicating that a CA must have approved trust framework seemed was removed.
 * The concepts of returning certificates for Direct vs. for a given Direct Address appeared was reflected as “The certificate directory returns digital certificates for direct”
 * The concept around the number of certificates to return was revised to “For any given direct address the directory will return one or more digital certificate”
 * The assumption “The Certificate Directory and certificate authority must be part of an approved trust framework” was deleted
 * The assumption “A Certificate Directory will provide at least one secured and guaranteed delivery transport mechanism” was deleted
 * Revisions to Pre Conditions section are as follows:
 * The statements “Certificate Authority trust relationships have been established” and “Certificates have been issued and placed in Certificate Directory”
 * Within the scope section (2.2) of the use case, “the scope of this Use Case…” was placed in bold to emphasize this clarity
 * Revisions to Post Conditions section are as follows:
 * The statement “may return zero, one, or more than one certificate” is not needed and was removed
 * Revisions to Scenario section are as follows:
 * Definitions for the following words will be added to the glossary “direct project, direct address and direct”
 * The word “push” in the title “User Story: Push” was eliminated
 * A post condition referencing certificate validation was added
 * In order to indicate that multiple certificates can be returned, an “(s)” was added to digital certificate across the Use Case
 * Within the Trigger section, “the digital certificate user” has been changed to “Certificate directory consumer”


 * Sprint Team Logistics/Next Steps and Questions//://**
 * Next Certificate Discovery SWG Meeting rescheduled for **Monday** **July 11, 2:30-4:00PM ET**
 * Next Electronic Address Discovery SWG Meeting scheduled for **Thursday July 14, 12:00-1:30PM ET)**
 * Next Sprint Team Meeting scheduled for **Friday July 15, 2011 3:00-5:00PM ET**
 * Review and provide comments on next sections to be completed for Query for Digital Certificate Use Case for Direct Project
 * Review and provide additional comments on Query for Electronic Address Use Case
 * Review posted Meeting Minutes for Sprint Team and SWG meetings and provide any corrections
 * John Moehrke will share link to the risk assessment conducted under the Direct Project
 * Members will review the risk assessment documentation and be prepared to revise the Issues, Obstacles, and Risks section of the Use Case during Monday’s SWG call.