Notes on the establishment of DirectTRUST.org
2 views
Skip to first unread message
David C. Kibbe
Oct 12, 2011, 4:19:43 PM10/12/11
to Direct Rules of the Road workgroup
Dear Colleagues: In this post I would like to give you an update on
the status of the establishment of DirectTRUST.org as an advocacy and
governance entity whose chief aim is to assure the stability and
interoperability of Direct exchange implementations in the US. I have
spoken to many of you about taking this step, and have heard only
enthusiastic, even urgent, encouragement to "get this going."
First, let me try to summarize the rationale for a new non-profit
public benefit organization. Why DirectTRUST.org and why now? The
primary reason came from the realization that the work of the Direct
Project is unfinished, that there remains work to be done within the
community of interest around Direct implementations, particularly with
respect to building a solid ground for the Trust Community, its
policies, and best practices -- writing the "rules of the road" so to
speak. In recognition of this unfinished work, most of you
participated in the successful development of a new X.509 Digital
Certificate Policy meant to guide the community of Direct suppliers
(HISPs, CAs) and their clients who are covered entities, their BAs,
and others willing to abide by HIPAA rules and regulations, and in a
direction that is convergent with the FBCA. This was strong work, but
not an end point. More of a starting point. Other areas of
optionality and ambiguity remain to be resolved if Direct exchange
implementations are to be successful at scale. Moving our efforts
from the Direct RotR workgroup to DirectTRUST.org makes a lot of
sense. It will create the appropriate degree of separation from ONC
warranted at this stage by uptake of Direct by industry and other
interested parties who have to bear the ultimate responsibility to
commercialize and expand Direct usage.
A secondary rationale for DirectTRUST.org to exist is the difference
between coordination, governance, and regulation as these apply to
Direct as part of NwHIN. Coordination conveys the notion that various
parties are working out harmonious arrangements on their collective
behalf according to shared principles, whereas regulation implies that
one superior party will be able to impose an arrangement on the others
in accord with some law or authority. These are separate functions,
reflecting two very different classes of power: normative influence
and official right. Those of us in the RotR workgroup have continued
the coordinative "do-ocracy" which has been such a constructive
characteristic of the Direct Project from its inception, while also
recognizing that the federal government will be making regulations
that we must, ultimately, abide and likely will support. However, we
have also come to realize that regulatory action by itself is
insufficient to develop and maintain trust among potential competitors
from a diverse set of backgrounds in this new domain of Direct
exchange. Nor, in our opinion, will regulatory oversight be the
equivalent of governance, and governance is needed to enforce good
behaviors and discourage bad ones that might dis-establish and erode
the fabric of trust required for our work to be successful.
Therefore, ultimately, DirectTRUST.org or an entity like it is called
for -- not to make regulations -- but to coordinate and govern. (It
goes without saying that we think it would be a disastrous mistake for
the government to appoint through contract or otherwise a partisan,
self-interested entity to both govern and coordinate Direct).
Third, we are already seeing signs of instability and variation in the
implementation of Direct exchange that threatens the promise of
interoperability among suppliers of Direct exchange services and their
subscriber/clients. That promise is important, because without
confidence that one Direct addressee can send messages securely and
reliably to another Direct addressee -- regardless of intermediary
HISP(s) -- the whole purpose of Direct exchange as a national, open,
secure, point-to-point messaging platform is undermined. Some vendors
who supply or wish to service Direct exchange communities /customers
are making claims with respect to their ability to meet protocols and
specifications, including those associated with certificate issuance
and management, that we know to be untrue and false. We believe
this is mostly being done as a result of the lack of guidance and is
not malicious behavior. However, it is misleading behavior, and it is
likely to increase as the demand for Direct exchange grows over the
next 2-5 years unless action is taken. We see the establishment of
DirectTRUST.org as one means of reaching consensus on technical,
administrative, and trust aspects of Direct exchange that will act to
assure both stability and interoperability of several different types
of Direct exchange implementations going forward.
You may be able to think of additional reasons for the establishment
of DirectTRUST.org, and if so, please comment on this post and freely
discuss.
So, where are we? Work is progressing steadily on a daily basis. I
have filled in some text on the "under construction" web site
www.DirectTRUST.org and am looking for guidance on how best to set up
an actual web site. The large and very reputable law firm of Kutak
Rock LLP has agreed to take on DirectTRUST.org as a client, and one of
their most able lawyers, Elise Dieterich, is working with me on plans
for the most appropriate form of incorporation, likely a non-profit,
pro-competition industry alliance. We are working on a reliable and
appropriate source of funding. I have started to write a Mission
Statement and Statement of Principles, a draft of which you may see
here https://docs.google.com/document/d/1lhxZNkLl8TPL-B7y4z4z9eRw8vWeQgy92vPZRvEW5vA/edit
The intention is to model much of the bylaws and principles on ICANN.
Finally, let me comment on what is happening at the federal level with
respect to overall governance of NwHIN, a development that will
necessarily impact our own work. My understanding is that ONC has
begun the process of rule making for governance of the NwHIN. Once
rule making starts within the federal government there is generally
very little comment made by government personnel and it is incumbent
upon us to be sensitive to this reality. I am of the belief that
once this rule making process is completed, the environment may well
be very conducive to the kind of constructive public-private
initiative that we are taking in the formation of DirectTRUST.org.
However, we will have to wait and see.
Please do comment on anything that I've mentioned here, and provide
your ideas and criticisms. I am putting in the time on this in part
because I feel an obligation to you and your companies for your
participation in RotR, and to the broader community of the Direct
Project. If you feel supportive of this effort, I need to know, and,
I also need to know of any objections or refinements you believe ought
to be made.
With kind regards, DCK
the status of the establishment of DirectTRUST.org as an advocacy and
governance entity whose chief aim is to assure the stability and
interoperability of Direct exchange implementations in the US. I have
spoken to many of you about taking this step, and have heard only
enthusiastic, even urgent, encouragement to "get this going."
First, let me try to summarize the rationale for a new non-profit
public benefit organization. Why DirectTRUST.org and why now? The
primary reason came from the realization that the work of the Direct
Project is unfinished, that there remains work to be done within the
community of interest around Direct implementations, particularly with
respect to building a solid ground for the Trust Community, its
policies, and best practices -- writing the "rules of the road" so to
speak. In recognition of this unfinished work, most of you
participated in the successful development of a new X.509 Digital
Certificate Policy meant to guide the community of Direct suppliers
(HISPs, CAs) and their clients who are covered entities, their BAs,
and others willing to abide by HIPAA rules and regulations, and in a
direction that is convergent with the FBCA. This was strong work, but
not an end point. More of a starting point. Other areas of
optionality and ambiguity remain to be resolved if Direct exchange
implementations are to be successful at scale. Moving our efforts
from the Direct RotR workgroup to DirectTRUST.org makes a lot of
sense. It will create the appropriate degree of separation from ONC
warranted at this stage by uptake of Direct by industry and other
interested parties who have to bear the ultimate responsibility to
commercialize and expand Direct usage.
A secondary rationale for DirectTRUST.org to exist is the difference
between coordination, governance, and regulation as these apply to
Direct as part of NwHIN. Coordination conveys the notion that various
parties are working out harmonious arrangements on their collective
behalf according to shared principles, whereas regulation implies that
one superior party will be able to impose an arrangement on the others
in accord with some law or authority. These are separate functions,
reflecting two very different classes of power: normative influence
and official right. Those of us in the RotR workgroup have continued
the coordinative "do-ocracy" which has been such a constructive
characteristic of the Direct Project from its inception, while also
recognizing that the federal government will be making regulations
that we must, ultimately, abide and likely will support. However, we
have also come to realize that regulatory action by itself is
insufficient to develop and maintain trust among potential competitors
from a diverse set of backgrounds in this new domain of Direct
exchange. Nor, in our opinion, will regulatory oversight be the
equivalent of governance, and governance is needed to enforce good
behaviors and discourage bad ones that might dis-establish and erode
the fabric of trust required for our work to be successful.
Therefore, ultimately, DirectTRUST.org or an entity like it is called
for -- not to make regulations -- but to coordinate and govern. (It
goes without saying that we think it would be a disastrous mistake for
the government to appoint through contract or otherwise a partisan,
self-interested entity to both govern and coordinate Direct).
Third, we are already seeing signs of instability and variation in the
implementation of Direct exchange that threatens the promise of
interoperability among suppliers of Direct exchange services and their
subscriber/clients. That promise is important, because without
confidence that one Direct addressee can send messages securely and
reliably to another Direct addressee -- regardless of intermediary
HISP(s) -- the whole purpose of Direct exchange as a national, open,
secure, point-to-point messaging platform is undermined. Some vendors
who supply or wish to service Direct exchange communities /customers
are making claims with respect to their ability to meet protocols and
specifications, including those associated with certificate issuance
and management, that we know to be untrue and false. We believe
this is mostly being done as a result of the lack of guidance and is
not malicious behavior. However, it is misleading behavior, and it is
likely to increase as the demand for Direct exchange grows over the
next 2-5 years unless action is taken. We see the establishment of
DirectTRUST.org as one means of reaching consensus on technical,
administrative, and trust aspects of Direct exchange that will act to
assure both stability and interoperability of several different types
of Direct exchange implementations going forward.
You may be able to think of additional reasons for the establishment
of DirectTRUST.org, and if so, please comment on this post and freely
discuss.
So, where are we? Work is progressing steadily on a daily basis. I
have filled in some text on the "under construction" web site
www.DirectTRUST.org and am looking for guidance on how best to set up
an actual web site. The large and very reputable law firm of Kutak
Rock LLP has agreed to take on DirectTRUST.org as a client, and one of
their most able lawyers, Elise Dieterich, is working with me on plans
for the most appropriate form of incorporation, likely a non-profit,
pro-competition industry alliance. We are working on a reliable and
appropriate source of funding. I have started to write a Mission
Statement and Statement of Principles, a draft of which you may see
here https://docs.google.com/document/d/1lhxZNkLl8TPL-B7y4z4z9eRw8vWeQgy92vPZRvEW5vA/edit
The intention is to model much of the bylaws and principles on ICANN.
Finally, let me comment on what is happening at the federal level with
respect to overall governance of NwHIN, a development that will
necessarily impact our own work. My understanding is that ONC has
begun the process of rule making for governance of the NwHIN. Once
rule making starts within the federal government there is generally
very little comment made by government personnel and it is incumbent
upon us to be sensitive to this reality. I am of the belief that
once this rule making process is completed, the environment may well
be very conducive to the kind of constructive public-private
initiative that we are taking in the formation of DirectTRUST.org.
However, we will have to wait and see.
Please do comment on anything that I've mentioned here, and provide
your ideas and criticisms. I am putting in the time on this in part
because I feel an obligation to you and your companies for your
participation in RotR, and to the broader community of the Direct
Project. If you feel supportive of this effort, I need to know, and,
I also need to know of any objections or refinements you believe ought
to be made.
With kind regards, DCK
Reply all
Reply to author
Forward
0 new messages