Query+for+Digital+Certificate+for+Direct+Project+-+Ecosystem+Consensus

toc =Introduction=

The summary table below highlights key areas of harmonization analysis to be reviewed by the S&I Framework Provider Directory Workgroup, surrounding major issues needing harmonization focus. The table of contents shown on the right also allows the reader the opportunity to jump to specific sections of interest within this page.

Harmonization Approach
Because of changes in scope initiated in the Use Case development stages, our approach for harmonization has changed. Those changes in scope and timing are reflected in the content below:

The harmonization approach is designed to conduct a thorough analysis of potential standards applicable to digital certificate queries, while being mindful of both the time and use case constraints that have been identified for this initiative. The timeline was developed being mindful of the target outcomes expected from the Query for Digital Certificates Use Case for the Direct Project:
 * Providers and other authorized entities can retrieve digital certificate(s) to facilitate secure exchange of health information
 * Standardized query mechanism for Certificate Directories can be adopted by EHR vendors, State HIEs, HISPs and other mediators of exchange
 * Standardization and simplification of the implementation of interfaces to query Certificate Directories

The highlighted portion of the diagram below (Direct Use Case) outlines the focus of our planned efforts for the harmonization process. As outlined below, we will be conducting an analysis of LDAP, a review of the DNS RFC, as well as a review of the results from our informal environmental scan efforts.



of the Road Statement || The S&I Framework will look at the Direct Project recommendation of DNS and compare it to the business and technical requirements outlined in the use case. || TBD || at real-world implementation options that are currently being used with the standards under consideration. || TBD || standards and will ask volunteers in the Provider Directory Initiative to provide their feedback on the criteria for each standard. || TBD || in the Query for Digital Certificate Use Case for Direct Project to align them to the potential standards under consideration. || TBD || Certificate Use Case for Direct Project to highlight how each potential standard being considered can meet the use case requirements || TBD || Statements || Once these activities have been completed, formal consensus statements will be documented on the wiki for review and consensus voting. || TBD || developed surrounding the requirements outlined in the Query for Digital Certificate Use Case for Direct Project. || TBD ||
 * **Area of Harmonization Analysis** || **Description of Area of Analysis** || **Consensus Statement** ||
 * Review Direct Project Rules
 * Perform Informal Environmental Scans || The S&I Framework will conduct informal environmental scans to look
 * Review Standards Criteria || The S&I Framework will look at the individual criteria used to evaluate
 * Review Dataset Evaluation || The S&I Framework will look at the data elements within the dataset defined
 * Review Harmonization Models || The S&I Framework will enhance the models within the Query for Digital
 * Prepare Harmonization Consensus
 * Define Implementation Guidance || Upon completion of harmonization, formal implementation guidance will be

Assumptions
Several assumptions are adopted as part of harmonization surrounding this specific initiative. They include:
 * Participants in harmonization are assumed to have working knowledge of the Query for Digital Certificate Use Case for Direct Project.
 * Harmonization adopts the current Query for Digital Certificate Use Case for Direct Project **as-is**
 * Any specific assumption not listed in the Query for Digital Certificate Use Case for Direct Project is **out-of-scope** for harmonization
 * Privacy questions are **out-of-scope** for harmonization
 * Security considerations are **in-scope** for harmonization
 * DNS and LDAP standards are to be considered in harmonization. Any other standards are **out-of-scope.**
 * Harmonization efforts will begin with full knowledge that the Query for Digital Certificate Use Casefor Direct Project, as of July 18, 2011, has **NOT** passed consensus.

Additional Questions on Assumptions
However, there are still open assumptions that require further workgroup review and clarification (in addition to possible edits to the assumptions above):
 * 1) //Should the group consider possible future provider directory use cases as a criteria for standards harmonization in this use case, or should this use case be viewed in isolation?//
 * 2) //How should the group handle formal recommendations from the Health IT Standards Committee?//

Risks
//To be developed - several risks need to be added in this section from the use case and this section can also be used to document how these risks are mitigated through harmonization.//

As standards are selected, the risks associated with the implementation of those standards will be documented in this section.

Timeline for Harmonization
This timeline seems workable due to the narrowly scoped nature of the use case, with the following activities being proposed to finalize the harmonization portion of the S&I Framework:


 * To accomplish by July 18th, 2011**:
 * Conduct LDAP Review
 * Conduct Review of DNS RFC
 * Harmonize Bob and Sean's (and possibly others') Environmental Scans


 * Achieve Consensus by July 31st, 2011**

Possible Standards to Consider
Due to the extremely narrow nature of the business and technical requirements defined in the Query for Digital Certificate Use Case for Direct, the possible standards that can be considered for harmonization are limited. The types of interactions defined in the use case can generally be supported by the standards listed below:


 * Domain Naming System (DNS)**

DNS is recommended by the Direct Project Rules of the Road statement. Based on initial technical review, DNS would allow for the storage and querying of digital certificates. There is also high-level implementation guidance provided in the Direct Rules of the Road statement that may be applicable to this specific use case.

The following RFC's will be reviewed and considered within harmonization specific to DNS:

[|RFC 920], Domain Requirements – Specified original top-level domains [|RFC 1032], Domain Administrators Guide [|RFC 1033], Domain Administrators Operations Guide [|RFC 1034], Domain Names - Concepts and Facilities [|RFC 1035], Domain Names - Implementation and Specification [|RFC 1101], DNS Encodings of Network Names and Other Types [|RFC 1123], Requirements for Internet Hosts—Application and Support [|RFC 1183], New DNS RR Definitions [|RFC 1591], Domain Name System Structure and Delegation (Informational) [|RFC 1912], Common DNS Operational and Configuration Errors [|RFC 1995], Incremental Zone Transfer in DNS [|RFC 1996], A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) [|RFC 2100], The Naming of Hosts (Informational) [|RFC 2136], Dynamic Updates in the domain name system (DNS UPDATE) [|RFC 2181], Clarifications to the DNS Specification [|RFC 2182], Selection and Operation of Secondary DNS Servers [|RFC 2308], Negative Caching of DNS Queries (DNS NCACHE) [|RFC 2317], Classless IN-ADDR.ARPA delegation (BCP 20) [|RFC 2671], Extension Mechanisms for DNS (EDNS0) [|RFC 2672], Non-Terminal DNS Name Redirection [|RFC 2845], Secret Key Transaction Authentication for DNS (TSIG) [|RFC 3225], Indicating Resolver Support of DNSSEC [|RFC 3226], DNSSEC and IPv6 A6 aware server/resolver message size requirements [|RFC 3597], Handling of Unknown DNS Resource Record (RR) Types [|RFC 3696], Application Techniques for Checking and Transformation of Names (Informational) [|RFC 4343], Domain Name System (DNS) Case Insensitivity Clarification [|RFC 4592], The Role of Wildcards in the Domain Name System [|RFC 4635], HMAC SHA TSIG Algorithm Identifiers [|RFC 4892], Requirements for a Mechanism Identifying a Name Server Instance (Informational) [|RFC 5001], DNS Name Server Identifier (NSID) Option [|RFC 5395], Domain Name System (DNS) IANA Considerations (BCP 42) [|RFC 5452], Measures for Making DNS More Resilient against Forged Answers [|RFC 5625], DNS Proxy Implementation Guidelines (BCP 152) [|RFC 5890], Internationalized Domain Names for Applications (IDNA):Definitions and Document Framework [|RFC 5891], Internationalized Domain Names in Applications (IDNA): Protocol [|RFC 5892], The Unicode Code Points and Internationalized Domain Names for Applications (IDNA) [|RFC 5893], Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA) [|RFC 5894], Internationalized Domain Names for Applications (IDNA):Background, Explanation, and Rationale (Informational) [|RFC 5895], Mapping Characters for Internationalized Domain Names in Applications (IDNA) 2008 (Informational) [|RFC 4033], DNS Security Introduction and Requirements [|RFC 4034], Resource Records for the DNS Security Extensions [|RFC 4035], Protocol Modifications for the DNS Security Extensions [|RFC 4509], Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records [|RFC 4470], Minimally Covering NSEC Records and DNSSEC On-line Signing [|RFC 5011], Automated Updates of DNS Security (DNSSEC) Trust Anchors [|RFC 5155], DNS Security (DNSSEC) Hashed Authenticated Denial of Existence [|RFC 5702], Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC [|RFC 5910], Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP) [|RFC 5933], Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC


 * Lightweight Directory Access Protocol (LDAP)**

Based on initial technical review, LDAP would allow for the storage and querying of digital certificates**.** Implementation guidance would need to be developed in support of LDAP as a possible standard for this use case, but guidance would appear to be readily available from other industry implementations of LDAP.

The following RFC's will be reviewed and considered within harmonization specific to LDAP (//links to be provided shortly//):

RFC 1777 - Lightweight Directory Access Protocol RFC 1778 - The String Representation of Standard Attribute Syntaxes RFC 2251 - Lightweight Directory Access Protocol (v3) RFC 2252 - Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names RFC 2254 - The String Representation of LDAP Search Filters RFC 2255 - The LDAP URL Format RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3

Direct Recommendations Review
The Direct Project Rules of the Road (Direct Communities) recommendations can be located here:

Direct Project Rules of the Road (Direct Communities)

The Query for Digital Certificate Use Case for Direct was designed, in part, to help meet these Direct Project recommendations. As part of harmonization, the S&I Framework will evaluate these recommendations in the context of the use case requirements, and to help identify any potential implementation issues to be considered in the context of the limited scope of this use case. The preliminary analysis of the Direct Rules of the Road statements and recommendations surrounding DNS are located here.

The S&I Framework will capture issues/comments raised in this section of the consensus, to help inform the implementation guidance to be developed as part of harmonization.

Environmental Scanning
To validate the assertions on implementation, the S&I Framework harmonization team will look to gather more detail regarding the provider directory implementation landscape. To expedite our harmonization process, the S&I Framework harmonization team will be conducting informal environmental scans via discussions during sub-workgroup calls. Additionally, we will be conducting informal interviews to analyze the environment through a series of phone calls that will take place outside of PD workgroup and sub-workgroup calls. This information will be used as part of both the evaluation of standards and to assist in developing implementation guidance surrounding the standard(s) eventually recommended.

This environmental scan will include the following additional steps:
 * Discussions with the Direct DNS Pilot participants directly to gather information on their experiences with DNS to date
 * Outreach to the HITSC and the HITSC Privacy and Security Workgroup to reuse environmental scanning data collected during their provider directory review
 * Outreach to federal agencies on the use of LDAP as a user directory and for purposes similarly scoped to

For an overview of the type of information that the S&I Framework team is attempting to gather, please refer to the links below:

DNS Environmental Scan

LDAP Environmental Scan

Standards Criteria
In order to create some level of distinction between the standards considered as applicable to this use case, a set of standards criteria have been developed to evaluate each standard against the requirements defined in the use case. The criteria are broad based and do not reflect a numeric score. Their intent is to provide factual information about each standard based on a set of understandable data points. If you have additional suggestions/ comments on the criteria please click here to provide feedback.

The criteria are listed in the table below: for Direct Project business and technical requirements? || Do DNS and/or LDAP CLEARLY meet the business and technical requirements within the use case? || standard (does this standard restrict technical choices in the future?
 * **Criteria Name** || **Description of Criteria** || **Example of Criteria** ||
 * **Suitability** || Does the standard meet the Query for Digital Certificate use case
 * **Compatibility** || Is there an appropriate migration path from this standard to another

Can this standard be integrated with other standards to build the solution desired? || Do DNS and/ or LDAP integrate with each other in a way that would allow one or more standards to be used together in the same organization? Do DNS and/ or LDAP support clear migration from one standard to another? || policy or regulatory impacts at the national,state and local level || use case (full, comprehensive support)? || Do DNS and/or LDAP have underlying data schemas that support the data elements listed in the use case? || of the use case requirements? || How widely used are DNS and/ or LDAP to query digital certificates in healthcare? || or toward the platform of a particular vendor? || Do DNS and/ or LDAP favor a specific vendor or a specific architecture that is proprietary and/or difficult to migrate to? || barriers? || Are DNS and/ or LDAP available freely for use by implementers and vendors and is there some level of support available from the IT community for these standards? || disruption of current processes due to conversion, coordination and communication costs born by implementers or the lost revenue of current solutions in place that will no longer be useful? || If a decision is made to implement DNS and/ or LDAP what is a rough estimate of the total costs of implementation within healthcare, are there any anticipated disruptions that might occur during implementation, and arethere specific costs for conversion if moving from one standard to another? || of this standard? || If a decision is made to implement DNS and/ or LDAP what are the expected business model changes that will need to be supported and what are associated economic issues to consider for healthcare stakeholders? || use case requirements? || How many DNS and/ or LDAP pilots are currently in use in the United States that are specific to the requirements of Query for Digital Certificate Use Case? || DNS and/ or LDAP that would allow an organization to test their conformance? || that is not viable? || Would the use of DNS and/ or LDAP be commercially or technically viable in real-world implementation settings? ||
 * **Regulatory Impact** || Are there jurisdictional and regulatory impacts in using this standard? || Would the selection of DNS and/ or LDAP have any known
 * **Data Element Usage** || Does the standard support all the data elements proposed in the
 * **Maturity** || How widely is the standard in use in the United States within the context
 * **Technology Architecture**
 * and Vendor Neutrality** || Is there an undesired bias toward a given technology architecture
 * **Availability** || Is the standard easily available and able to be used/implemented without
 * **Expected Total Costs of**
 * Implementation** || What are the expected total costs of implementation across the industry,
 * **Economic Impacts** || What are the expected business and economic impacts from the selected
 * **Pilot Recommendations** || Are there existing pilots using the standard that are aligned to the
 * **Conformance Criteria** || Does the standard have standard conformance language to enable testing? || Is there specific conformance testing language written into
 * **Viability** || Does the selection of a standard lead to a specific implementation model

Dataset Evaluation
The dataset listed in the Query for Digital Certificate Use Case for Direct Project is very simple and covers the basic aspects of querying for a digital certificate. Preliminary technical review indicates the standards could meet the dataset requirements outlined in the use case: the sender's private key (i.e. the digital certificate and encrypted digital signature) || Can be stored in DNS
 * **Data Elements** || **DNS** || **LDAP** ||
 * Electronic Address || Can be stored in DNS || Can be stored in LDAP ||
 * Security Artifact encrypted with

//Need for DNSSEC (to be// //explored with workgroup)// || Can be stored in LDAP

The objectclass supports the usercertificate (binary) attribute. || certificate //(clarify with use case)// || Can be stored in DNS || Can be stored in LDAP || using Secure DNS || Can be stored in LDAP ||
 * Digital ID of the sender's digital
 * Issuer || Can be stored in DNS || Can be stored in LDAP ||
 * Effective Date || Can be stored in DNS || Can be stored in LDAP ||
 * Public Key || Public keys can be distributed

=Preliminary Consensus Statements= The S&I Framework Harmonization support team has put together some starting content surrounding the standards considered for the Query for Digital Certificate Use Case for Direct Project. This language will require refinement and possible deletion through close coordination with the S&I Framework volunteers. A key goal of harmonization is finalizing consensus language in agreement with the entire Provider Directory initiative that is both easy to understand and can serve as the basis for further implementation guidance.

DNS Consensus
The sequence diagram below shows how DNS would work to query a digital certificate. The method for storage of certificates within DNS is X.509v3 certificates, stored as a CERT RR, which may, in some cases, be connected to a domain name.



The Query for Digital Certificate Use Case for Direct Project, due to its structure and specific scope limitations, would seem to be designed to specifically support the Direct Project and the participants within Direct. With the development of Direct DNS pilots already ongoing, and with the Direct Project clearly supportive of the DNS recommendation, the S&I Framework will review the Direct Rules of the Road recommendation and provide any additional clarity needed that is specific to the Query for Digital Certificate Use Case for Direct Project. Specific steps to achieving consensus on DNS include:
 * Review the Direct Project Rules of the Road Statement, and determine its applicability to the use case identified within the S&I Framework
 * Identify any specific implementation issues, both short and long-term, that might arise from use of DNS for this specific use case.


 * Preliminary consensus would be to accept the Direct Project Rules of the Road recommendations, as this use case appears to be very specifically tailored to the needs of Direct, and to provide additional implementation and risk assessment guidance as needed.**

LDAP Consensus
The sequence diagram below shows how LDAP would be used to query digital certificates. The query would be based off of the X.500 schema using TCP/IP with LDAP specific syntax:

On the technical merits, LDAP has been implemented as a user directory in numerous federal agencies (including HHS agencies) in FISMA compliant environments to store and query digital certificates. LDAP also would support possible data complexities for future provider directory use cases, as LDAP can support a hierarchy between objects and relationships through //the groupofNames//concept. LDAP Schema extensibility would makes it easy to add in new objects and attributes and to update the capabilities of existing ones.

There seems to be 2 specific issues with LDAP as identified by the Direct Project that might limit its applicability to this specific use case (//these 2 issues will be discussed by the workgroup)//
 * Querying an LDAP server based on a specific domain address, such as siframework.org
 * LDAP implementation timelines are longer than DNS

It is concerning that the Direct Project does not appear to have started any specific LDAP pilots, as the Direct reference implementation appears to provide support for LDAP. It appears that the primary factor for this decision is that it was not believed that usage of LDAP for querying digital certificates is high at this point. It is not clear from reviewing the Direct Project Rules of the Road how this conclusion was reached. Initial focus will be on scanning for potential usage of LDAP as a way of querying digital certificates.


 * The preliminary consensus is that LDAP would be a possible standard for use in querying digital certificates. Further work will be conducted within the S&I Framework Provider Directory Initiative to specify potential pilots, along with an environmental scan review. Based on that scan and a further technical review within the S&I Framework Provider Directory workgroup, it would be possible to recommend LDAP as an alternative option to meet the requirements of digital certificate queries.**

=Query for Digital Certificate Roadmap= A set of short and long term milestones will need to be defined as the Query for Digital Certificate Use Case for Direct Project moves from harmonization into implementation and piloting. These milestones are identified below:

Develop Query for Digital Certificate for Direct Project Implementation Guide
For the standard(s) chosen for this use case, specific implementation guidance will need to be developed as an output from the S&I Framework. This implementation guidance would be used to inform possible reference implementations and pilots. Both DNS and LDAP would require some formal implementation guidance to be developed that is specific to this use case and its requirements.

Continue Tracking Direct DNS Pilots
The results of the Direct DNS pilots, currently ongoing within the Direct Project and in coordination with their volunteers, should continually be tracked and collected to ensure any new issues raised with the usage of DNS for querying digital certificates can be reviewed by the S&I Framework.

Identification and Development of LDAP pilots
Pilots for the use of LDAP as a mechanism to query digital certificates will need to be identified and possibly developed. A call for participation can be made through the S&I Framework for possible pilot development.