AoR+SWG+3+-+Digital+Signatures+&+Delegation+of+Rights

include component="page" wikiName="siframework" page="esMD Header" =Announcements= toc =Works Approved Through Consensus=
 * ~ Sub-Workgroup Links ||
 * = **SWG 1**
 * Digital Credentials** ||= **SWG 2**
 * Identity Proofing** ||= **SWG 3**
 * Digital Signatures & Delegation of Rights** ||
 * **__ Thank you for your participation!! __** As of January 9th, 2013, the esMD AoR Digital Signatures / Delegation of Rights White Paper has been finalized. The document below as well as the text embedded within the Digital Signatures / Delegation of Rights White Paper Wiki reflect updates that were proposed and agreed upon during the formal Consensus Process. Please contact the Workgroup Lead or Support Lead if you have any remaining questions or concerns.
 * **Date** || **Artifact Name** || **Artifact Links** ||
 * 1/9/2013 || esMD AoR L1 SWG Report - Digital Signatures and Delegation of Rights || * Wiki link
 * Consensus Votes
 * S&I Framework Repository Link - White Paper ||

=Works in Progress=

Digital Signatures

 * **Artifact Name** || **Description/Purpose** || **Status** || **Current Status/**
 * Last Updated** || **Reviewers** || **Target Date for Completion** ||

Delegation of Rights
=Meeting Materials= =Reference Documents=
 * **Artifact Name** || **Description/Purpose** || **Status** || **Current Status/**
 * Last Updated** || **Reviewers** || **Target Date for Completion** ||
 * **Meeting Date** || **Meeting Materials** || **Presentation Materials** || **Minutes** || **View Meeting Recordings** ||
 * December 5, 2012 ||||||||= White Paper review postponed until Friday, 12/7/12, 2pm EST ||
 * November 28, 2012 ||||||||= White Paper review postponed ||
 * November 21, 2012 ||||||||= MEETING CANCELLED ||
 * November 14, 2012 ||||||||= MEETING CANCELLED ||
 * November 7, 2012 ||||||||= MEETING CANCELLED ||
 * October 31, 2012 || Meeting Materials || [[file:siframework/AoR SWG IP DS-SR 10-31-2012 V1.1.pptx|Meeting Presentation (.pptx)]] || [[file:siframework/esMD AoR L1 Digital Signatures & Delegation of Rights SWG A&D 2012-10-31.docx|Meeting Minutes (.docx)]] || View on Vimeo ||
 * October 24, 2012 || Meeting Materials || Presentation unavailable || [[file:esMD AoR L1 Digital Signatures & Delegation of Rights SWG A&D 2012-10-24.docx|Meeting Minutes (.docx)]] || View on Vimeo ||
 * October 17, 2012 || Meeting Materials || [[file:siframework/AoR SWG IP DS-SR 10-17-2012.pptx|Meeting Presentation (.pptx)]] || [[file:siframework/esMD AoR L1 Digital Signatures & Delegation of Rights SWG A&D 2012-10-17.docx|Meeting Minutes (.docx)]] || View on Vimeo ||
 * October 10, 2012 || Meeting Materials || [[file:AoR SWG Digital Identity 10-10-2012.pptx|Meeting Presentation (.pptx)]] || [[file:siframework/esMD AoR L1 Combined SWG A&D 2012-10-10.docx|Meeting Minutes (.docx)]] || View on Vimeo ||
 * October 3, 2012 || Meeting Materials || [[file:AoR SWG IP DS-SR 2012-10-03.pptx|Meeting Presentation (.pptx)]] || [[file:esMD AoR L1 Digital Signatures & Delegation of Rights SWG A&D 2012-10-03.docx|Meeting Minutes (.docx)]] || View on Vimeo ||
 * September 26, 2012 || Meeting Materials || [[file:AoR SWG IP DS-SR 9-26-2012.pptx|Meeting Presentation (.pptx)]] || [[file:esMD AoR L1 Digital Signatures & Delegation of Rights SWG A&D 2012-09-26.docx|Meeting Minutes (.docx)]] || View on Vimeo ||
 * September 19, 2012 || Meeting Materials || [[file:AoR Subworkgroup Kick-off Slides 9-19-2012 (1pm).pptx|Meeting Presentation (.pptx)]] || [[file:esMD AoR L1 Identity Proofing, Digital Signatures, Delegation of Rights SWG A&D 2012-09-19.docx|Meeting Minutes (.docx)]] || View on Vimeo ||

Standards
Aug 31, 2012 || Aug 31, 2012 || Aug 31, 2012 || Aug 31, 2012 || See also: All DSS Standards || Version 1.0 Apr 11, 2007 || Jun 10, 2008 || Dec 9, 2011 ||
 * **Document Link** || **Description** || **Version/Date** ||
 * NIST SP 800-63-1 (PDF) || NIST Electronic Authentication Guideline || Dec 2011 ||
 * ITI TF-1 (PDF) || IHE IT Infrastructure Technical Framework: Volume 1: Integration Profiles || Revision 9.0
 * ITI TF-2a (PDF) || IHE IT Infrastructure Technical Framework: Volume 2a: Transactions Part A - Sections 3.1 - 3.28 || Revision 9.0
 * ITI TF-2b (PDF) || IHE IT Infrastructure Technical Framework: Volume 2b: Transactions Part B - Sections 3.29 - 3.51 || Revision 9.0
 * ITI TF-3 (PDF) || IHT IT Infrastructure Technical Framework: Volume 3: Cross-Transaction Specifications and Content Specifications || Revision 9.0
 * OASIS DSS Core Spec || Digital Signature Service Core Protocols, Elements, and Bindings.
 * XMLdigsig || XML Signature Syntax and Processing, W3C Recommendations || Second Edition
 * FIPS PUB 186-3 (PDF) || Digital Signature Standard || Jun 2009 ||
 * IETF RFC 3820 || Internet X.509 PKI Certificate Profile || Jun 2004 ||
 * IETF RFC 3850 || Internet X.509 PKI Proxy Certificate Profile || Jul 2004 ||
 * IETF RFC 3851 || Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specifications || Jul 2004 ||
 * IETF RFC 4998 || Evidence Record Syntax || Aug 2007 ||
 * IETF RFC 5276 || Using the Server-Based Certificate Validation Protocol to Convey Long-Term Evidence Records || Aug 2008 ||
 * IETF RFC 5280 || Internet X.509 PKI Certificate and Certificate Revocation List Profile || May 2008 ||
 * IETF RFC 5698 || Data Structure for the Security Suitability of Cryptographic Algorithms || Nov 2009 ||
 * IETF RFC 6277 || Online Certificate Status Protocol Algorithm Agility || Jun 2011 ||
 * IETF RFC 6283 || XML Evidence Record Syntax || Jul 2011 ||
 * FBCA X.509 Certificate Policy (PDF) || X.509 Certificate Policy for the Federal Bridge Certification Authority || Version 2.25

Industry Implementations
Jan 6, 2010 || (CSOS) PKI Certificate and Certificate Revocation List Profile || Version 2.2 Jan 26, 2009 || Apr 16, 2012 ||
 * **Document Link** || **Description** || **Version/Date** ||
 * 21 CFR Part 1305 || Orders for Schedule I and II Controlled Substances (DEA) || Apr 1, 2012 ||
 * 21 CFR Part 1311 || Requirements for Electronic Orders and Prescriptions (DEA) || Apr 1, 2012 ||
 * DEA CSOS Certificate Policy (PDF) || DEA Controlled Substance Ordering System (CSOS) Certificate Policy || Version 4.0
 * DEA CSOS PKI Certificate & CRL Profile (PDF) || DEA Diversion Control, Controlled Substance Ordering System
 * CertiPath X.509 Certificate Policy (PDF) || CertiPath X.509 Certificate Policy || Version 3.18

White Papers/Industry Reports
This paper is summarized here and includes the following reports:
 * **Document Link** || **Description** || **Version/Date** ||
 * OECD Digital Identity Management (PDF) || Digital Identity Management - Enabling Innovation and Trust in the Internet Economy.
 * Guidance on Digital Identity Management for Enabling Innovation and Trust in the Internet Economy
 * National Strategies and Policies for Digital Identity Management in OECD Countries
 * Role of Digital Identity Management in the Internet Economy: A Primer for Policy Makers
 * OECD Workshop on Digital Identity Management || Winter 2011 ||
 * EU eSignatures Report || Report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures || Mar 15, 2006 ||
 * EU eSignatures Action Plan || Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market || Nov 28, 2008 ||

Federal Requirements
Jul 31, 2012 ||
 * **Document Link** || **Description** || **Version/Date** ||
 * RMH Vol. III Standard 3.1 Authentication || CMS Risk Management Handbook Volume III, Standard 3.1: CMS Authentication Standards || Version 1.2

Standards
See also: All SAML v2.0 files || Version 2.0 Mar 15, 2005 || Dec 9, 2011 || CFR Part 482 and 485 (PDF) || Medicare and Medicaid Programs: Changes Affecting Hospital and Critical Access Hospital Conditions of Participation: Telemedicine Credentialing and Privileging ||  ||
 * **Document Link** || **Description** || **Version/Date** ||
 * OASIS SAML Assertions (PDF) || Assertions and Protocols for the OASIS Security Assertion Markup Language
 * FBCA X.509 Certificate Policy (PDF) || X.509 Certificate Policy for the Federal Bridge Certification Authority || Version 2.25
 * IETF RFC 3850 || Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling || Jul 2004 ||
 * IETF RFC 3851 || Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specifications || Jul 2004 ||
 * IETF RFC 5280 || Internet X.509 PKI Certificate and Certificate Revocation List Profile || May 2008 ||
 * Federal Register, Vol. 76, No. 8742
 * The Joint Commission Hospital Record of Care || //TJC standards are proprietary.// || Jul 2009 ||
 * IGTF OID Proxy Delegation Tracing (PDF) || International Grid Trust Federation OID Proxy Delegation Tracing || Feb 28, 2008 ||

Industry Implementations
Re: Automated Fingerprint Identification System (AFIS) || Nov 2011 || See also: Current CLIA Regulations || Jan 24, 2004 ||
 * **Document Link** || **Description** || **Version/Date** ||
 * HHS - Sample Business Associate Contract Provisions || HIPAA Business Associate Agreement (BAA) example || Aug 14, 2002 ||
 * HHS - OCR HIPAA Privacy - Business Associates (PDF) || HIPAA Business Associate Agreement (BAA) brief || Apr 3, 2003 ||
 * NIST SP 500-290 (PDF) || NIST Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information
 * Best Practices for HISPs || The Direct Project - Best Practices for HISPs ||  ||
 * 42 CFR Part 493 || Laboratory Requirements

White Papers/Industry Reports

 * **Document Link** || **Description** || **Version/Date** ||

Federal Requirements
Jul 31, 2012 ||
 * **Document Link** || **Description** || **Version/Date** ||
 * RMH Vol. III Standard 3.1 Authentication || CMS Risk Management Handbook Volume III, Standard 3.1: CMS Authentication Standards || Version 1.2

=Workgroup Details=
 * See all Author of Record SWG reference materials on the esMD Reference Materials page. **

Objective:
Define process, artifacts and standards for transaction and document bundle digital signatures for esMD. Define credentials, artifacts and process for Delegation of Rights for esMD.

Requirements:

 * Digital Signatures:**
 * Must provide for non-repudiation as part of the credentials and artifacts
 * Must ensure data integrity


 * Delegation of Rights:**
 * Must provide for non-repudiation (NIST definition) as part of the credentials and artifacts
 * Revocable

In Scope:

 * Digital Signatures:**
 * Use Case 1 and 2 transactions
 * AoR L1 (Signature binding to aggregated document bundle)
 * Signature workflow
 * Signature artifacts
 * Identification of relevant standards


 * Delegation of Rights:**
 * Use Case 1 and AoR L1 Delegation of Rights requirements
 * Delegation/Proxy workflow
 * Delegation/Proxy artifacts
 * Identification of relevant standards

Out of Scope:

 * Digital Signatures & Delegation of Rights:**
 * AoR L2
 * AoR L3

Deliverable: Summary White Paper

 * Digital Signatures:**
 * Assumptions
 * Statement of Problem
 * Recommended Solution(s)
 * Review of Standards (e.g., OASIS, IHE, HL7, ...)
 * Transaction signature process
 * Transaction artifacts to meet Use Case 1 and 2 requirements
 * Document Bundle signature process
 * Artifacts to meet AoR L1 requirements
 * Data Integrity requirements
 * Non-repudiation assurance
 * Identify gaps in current policy impacting Digital Signatures
 * References


 * Delegation of Rights:**
 * Assumptions
 * Statement of Problem
 * Recommended Solution(s)
 * Review of Standards (e.g., OASIS, IHE, HL7, ...)
 * Proxy/Delegation Credential/Artifact(s)
 * Operational consideration for Proxy/Delegation Creation
 * Scope/Content of Proxy/Delegation
 * Revocation of Proxy
 * Credential Transaction proxy requirements
 * Transaction artifacts to meet Use Case 1 requirements
 * Document Bundle proxy signature process
 * Artifacts to meet AoR L1 signature proxy requirements
 * Non-repudiation assurance
 * Identify gaps in current policy impacting Delegation and Proxy
 * References

include component="page" wikiName="siframework" page="esMD Contacts" include component="page" wikiName="siframework" page="space.template.inc_contentleft_end"