Certificate+Discovery+For+Direct+Project+SWG+Meeting+Minutes+2011-07-18


 * Meeting Date**: 07/18/2011
 * Meeting Title:** PD Certificate Discovery for Direct Project SWG Meeting Session 6

Agenda/Objectives:

 * **Topic** ||= **Time Allotted** ||
 * Consensus update on Use Case || 15min ||
 * Introduction to Harmonization Approach ||= 15min ||
 * Discuss Consensus Strategy Options ||= 20min ||
 * Review Environmental Scan Approach ||= 15min ||
 * Review DNS and LDAP Analysis page ||= 15min ||
 * Post-Meeting Reviews ||= 10min ||

Attendees:
__Workgroup Attendees:__ Emily Mitchell, Ananya Gupta, Robert Dieterle, Kelly Conlin, Virginia Riehl, jonathan tadese, Ken Pool, JOHN MOEHRKE, Saswata Ghose, Karen Witting, Peter Bachman, Terri Skalabrin, Aleena Dhar, john williams, Andriy Selivonenko, Chris Andreou, lin wan, rao parvatam, mary-sara jones, Erik Pupo, Sri Koka

__Panelist Attendees:__ Virginia Riehl, Victoria Njoku, Erik Pupo, Jonathan Tadese, Kelly Conlin

**Action Items:**
“Yes with comments” were provided by Brett Peterson and McLain Causey ||
 * **Date** || **Description** || **Owner** || **Status** || **Notes** ||
 * 7/18/11 || Gain clarity from ONC regarding universal certificate discoverability || Harmonization Support Team || OPEN || Refer to meeting minutes below ||
 * 7/18/11 || Conduct preliminary environmental scans || All SWG Members || OPEN || Refer to Query for Digital Certificate for Direct Project - Ecosystem Consensus Wiki Page ||
 * 7/18/11 || Gain clarity regarding when Direct Rules of the Road will be finalized || Harmonization Support Team || OPEN || Refer toDirect Project Recommendation Review ||
 * 7/18/11 || Present revisions made to the Use Case to address “No” and “Yes with comments” votes from Committed Members || Use Case Support Leads || CLOSED || “No” votes were provided by Les Keepper and Ernest Grove.
 * 7/18/11 || Review SWG Meeting Minutes and provide any corrections || All SWG Members || OPEN || Refer to meeting agenda and minutes section of SWG page ||
 * Meeting Notes:**

__Key Discussion Points:__
 * Consensus Update on the Use Case**
 * Up to the end of the voting period, 25 total votes were provided at the individual Committed Member level (20 “Yes”, 3 “Yes with comments”, and 2 “No” votes).
 * At the organizational level, the voting outcome reflects 22 unique votes
 * The “No” votes from Les Keepper and Ernest Grove relate to the issue around the need for data access controls and audit trails to prevent fraudulent access to digital certificates. One assumption in the Use Case appears to address the concern and the sub-workgroup decided to make revisions to mention audit trails and provide additional clarity
 * Another comment to address was in regards to a statement under the Issues, Obstacles, and Potential Risks section about the use of certificates that are not cross-certified with the Federal Bridge CA and a potential risk that those certificates may not be interoperable with the Federal Bridge
 * In an offline call with the Use Case Support Leads, Brett Peterson and McLain Causey indicated that the use of certificates issued by CAs being cross-certified with the Federal Bridge is related to usage of the certificate and not to its lookup and that keeping the statement in this Use Case mixes unrelated policy issues into a simple certificate discovery Use Case
 * The sub-workgroup deliberated further, agreed that the issue is an important one to highlight, but also clarified that the intent is not put any requirement around the use of certificates in regards to cross-certification. A proposal was made to revise the statement to exclude mention of the use of certificates and to make it clear that there is a potential risk about federal entities accepting certificates that are issued by Certificate Authorities that are not cross-certified with the Federal Bridge

__Resolution(s):__
 * In order to clarify the concern around need for audit trails, the sub-workgroup modified an assumption to read “A relying party agreement specifying legal and governance policies, data access authorizations and audit trails, data ownership, and the data and certificate use is in effect”
 * The statement about cross-certification was modified to state "Certificates issued by Certificate Authorities that are not cross-certified with the Federal Bridge creates a risk in that they are not accepted by federal entities using the Direct Project. (The S&I Framework PD Sprint team believes that issuing some guidance on the requirement to use a Federal Bridge cross-certified Certification Authority will help mitigate this risk)”
 * The Use Case Support Leads will these updates to the Committed Members whose comments were addressed and share any updates to their votes with the larger group via email and Wiki.


 * Introduction to Harmonization Approach:**
 * The changes to the Harmonization process are reflective of changes to the use case.
 * Consensus in the harmonization phase should be reached by 7/31
 * To keep the scope someone limited within the next 2 weeks, the harmonization team will focus on looking at DNS (already recommended by the Direct Project) and LDAP. From there, DNS and LDAP implementation guidance will be provided to establishing what type of value-add exists with DNS and LDAP.
 * Discuss Consensus Strategy Options**:
 * Harmonization’s primary focus will be on DNS because there is an existing recommendation and the secondary focus will be on LDAP.
 * Only changes to DNS recommendation will be to amend it based on our use case.
 * Comment from Peter: It is a broad assumption to say that DNS is being used to discover certificates everywhere like it is within the context of the Direct Project.
 * Answer from Erik: These recommendations are only applicable to the Direct Project via what is stated in the use case. Our support team can add language to the harmonization guidance to reflect this.
 * Volunteer commentary regarding considering DNS and LDAP versus only considering DNS:
 * Discussion regarding whether or not we can just as easily eliminate DNS from our list of standards to consider as we can eliminate LDAP. In reality, these standards should hold equal weight in terms of prioritizing their applicability to our use case, even if the political reality of the situation needs to be explained or footnoted.
 * The guidance that has been passed down from ONC is that DNS has been formally suggested in the Direct Rules of the Road Statement.
 * There is an issue regarding whether or not the harmonization team is deferring a decision regarding DNS’s capability to perform as a standard for the Provider Directory initiative that the Direct Project may have never addressed.
 * Discussion regarding whether or not cerfiticates should be discoverable universally:
 * Technically either DNS or LDAP one should solve the problem. If DNS is used, those certificates will be available to anyone at any time; if LDAP is used, they will only be available to LDAP directories. Without clarity on the topic of which certificates should be accessible by whom, either standard is an equally good option. If the goal is universal availability, then DNS is the solution.
 * Could the reverse be true as well in terms of wanting to have a constrained environment? If we say that it has to be constrained for an audience, then our option can only be LDAP.
 * Core of the conversation is around this one set of assumptions.
 * Erik will push to ONC to achieve final clarity as quickly as possible; however, it may be up to the harmonization team to make that assumption.
 * The Direct Project involves some assumptions surrounding universal discoverability that the harmonization team must take into account (though it should not be assumed positively or negatively that the universal discoverability of the Direct Project is within the context of a Provider Directory).
 * Considering our timeframe, we will be doing outreach to Direct Project participants to leverage their knowledge
 * Review Environmental Scan Approach**:
 * The harmonization team will be conducting word-of-mouth environmental scans to understand more about DNS and LDAP.
 * We do not currently have a way to extrapolate what a large scale implementation of DNS could look like in terms of transaction volumes, however, we can look to other industries (telecom, finance, etc.) in our environmental scans to study possible volume implications.
 * Review DNS and LDAP Analysis Page**:
 * Commentary regarding scalability concerns: Direct software RI has been designed for LDAP and DNS (both are supported); bearing in mind that Direct RI can support either LDAP or DNS, is there a true conflict for harmonization to solve? If we’ve gotten this far with narrowing down our options to two standards supported by Direct, how can we add more value?
 * Harmonization will add value by providing some sort of implementation guidance for using DNS and LDAP within the scope of the PD use cases.
 * In regards to DNS, David Tao spoke with the country’s largest DNS provider to inquire about their support of certificate records. This company claims that this capability is planned to be introduced next year. In terms of an environmental scan, the fact that certificate records are not supported by the largest provider is a concern/ risk.


 * Certificate Discovery for Direct Project Logistics** **and Next Steps**
 * Recurring SWG Meetings occur every Monday 2:30-4:00PM ET
 * Next Certificate Discovery for Direct Project SWG Meeting rescheduled for **Monday** **July 25, 2:30-4:00PM ET**
 * Next Sprint Team Meeting scheduled for Friday July 22, 2011 3:00-5:00PM ET
 * Review SWG Meeting Minutes and provide any correction