FW: RE: certificate discovery
Sean Nolan
My response --- presumably not a surprise to anybody.
---S
From: Sean Nolan
Sent: Thursday, June 30, 2011 1:49 PM
To: 'erp...@deloitte.com'; 'jass...@deloitte.com'
Subject: RE: certificate discovery
Folks ---
I would be very interested in providing input on the certificate discovery discussion.
PD overall is a great topic --- but given the reduction in scope to certificate discovery only, it is a colossal distraction for the group to do anything at all. You should allow the existing pilots and production use to move forward for a period of time before evaluating success.
Reasons are:
· *all* current pilots and production use is deployed using the DNS discovery model and it is working fine.
· DNS has been threat-modeled successfully as part of the original Direct work.
· DNS is baked into both reference implementations
· Most importantly --- the only impact of suggesting multiple or alternate approaches at this time would be to slow down existing progress that needs to move forward to prove out more relevant issues such as certificate issuance and identity proofing requirements.
It has been valuable for this group to pursue the larger topic of provider directories --- and in a future state where we have such a universal provider directory, leveraging that for certificate discovery as well might make sense. But without that additional scope NOW --- we should close this issue and move on.
Please share these comments with the group. I would be happy to discuss this further live, either with specific members of the group or the full group assuming timing works out, or in email in response to specific questions or concerns about DNS. Just let me know how you’d like to do that.
Thanks …
---S
Gary Christensen
I’ve been saying the same thing in a lot of venues. Still, folks are fixated on Provider Directories, with “Direct routing” as a main driver.
Sean said it better than me.
Gary
McCallie,David
The first aspect is "find the address of the entity (or person) you want to connect to"
The second aspect is "find the X509 credential necessary to facilitate the conversation"
The HITSC workgroup tasked with PD recommendations initially suggested satisfying both of these needs with IHE HPD profile (LDAP,) but this suggestions was (wisely) rejected as being overly complicated for the current marketplace.
In place of the HPD profile, the HIT SC then suggested to S&I that they consider a simple combination of existing services to meet these needs. The services would include:
1. Use ordinary (or EV-signed) web pages to advertise (expose) all public addresses. Then a simple search with your favorite search tool would be all that is necessary to find the entity or person. Each Entity would ensure that their public endpoint addresses (the names, not the IP or certificates) were exposed. No need for a complex new LDAP infrastructure. At least not to get started.
2. Use DNS to fetch the certificates that correspond to the names that were found on the Entity's web pages (and DNS to find the MX record, etc.
3. Optionally, use Schema ( http://schema.org/ ) to encode the addresses on the web page in order to facilitate smarter searching, and to enable automated update of local directories based on extracting encoded data from those web pages.
The S&I team appears to be evaluating the above strategy. I think adopting the above would have essentially no impact on Direct, since it would preserve our existing reference implementation that uses DNS to fetch the certs. It could benefit those who need to find someone else's address if the usual "business card" model doesn't get what you need.
---d
David McCallie Jr, MD | VP Medical Informatics | Cerner Corporation | 816.201.2022 | dmcc...@cerner.com<mailto:dmcc...@cerner.com> | www.cerner.com<http://www.cerner.com/>
From: Christensen Gary <gchris...@riqi.org<mailto:gchris...@riqi.org>>
Reply-To: "hisp-rules-...@googlegroups.com<mailto:hisp-rules-...@googlegroups.com>" <hisp-rules-...@googlegroups.com<mailto:hisp-rules-...@googlegroups.com>>
Date: Thu, 30 Jun 2011 16:03:46 -0500
To: "hisp-rules-...@googlegroups.com<mailto:hisp-rules-...@googlegroups.com>" <hisp-rules-...@googlegroups.com<mailto:hisp-rules-...@googlegroups.com>>, Arien Malec <arien...@directproject.org<mailto:arien...@directproject.org>>
Subject: RE: RE: certificate discovery
I’ve been saying the same thing in a lot of venues. Still, folks are fixated on Provider Directories, with “Direct routing” as a main driver.
Sean said it better than me.
Gary
From: hisp-rules-...@googlegroups.com<mailto:hisp-rules-...@googlegroups.com> [mailto:hisp-rules-...@googlegroups.com] On Behalf Of Sean Nolan
Sent: Thursday, June 30, 2011 4:51 PM
To: hisp-rules-...@googlegroups.com<mailto:hisp-rules-...@googlegroups.com>; Arien Malec
Subject: FW: RE: certificate discovery
My response --- presumably not a surprise to anybody.
---S
From: Sean Nolan
Sent: Thursday, June 30, 2011 1:49 PM
To: 'erp...@deloitte.com<mailto:'erp...@deloitte.com>'; 'jass...@deloitte.com<mailto:'jass...@deloitte.com>'
Subject: RE: certificate discovery
Folks ---
I would be very interested in providing input on the certificate discovery discussion.
PD overall is a great topic --- but given the reduction in scope to certificate discovery only, it is a colossal distraction for the group to do anything at all. You should allow the existing pilots and production use to move forward for a period of time before evaluating success.
Reasons are:
· *all* current pilots and production use is deployed using the DNS discovery model and it is working fine.
· DNS has been threat-modeled successfully as part of the original Direct work.
· DNS is baked into both reference implementations
· Most importantly --- the only impact of suggesting multiple or alternate approaches at this time would be to slow down existing progress that needs to move forward to prove out more relevant issues such as certificate issuance and identity proofing requirements.
It has been valuable for this group to pursue the larger topic of provider directories --- and in a future state where we have such a universal provider directory, leveraging that for certificate discovery as well might make sense. But without that additional scope NOW --- we should close this issue and move on.
Please share these comments with the group. I would be happy to discuss this further live, either with specific members of the group or the full group assuming timing works out, or in email in response to specific questions or concerns about DNS. Just let me know how you’d like to do that.
Thanks …
---S
----------------------------------------------------------------------
CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
David Kibbe
Senior Advisor, American Academy of Family Physicians
Chair, ASTM International E31Technical Committee on Healthcare Informatics
Principal, The Kibbe Group LLC
___________
913-205-7968 cell
http://www.astm.org/COMMIT/COMMITTEE/E31.htm
dki...@aafp.org
kibbe...@mac.com
CONFIDENTIALITY: This e-mail message (including attachments, if any) is confidential and is intended only for the addressee. Any unauthorized use or disclosure is strictly prohibited. Disclosure of this e-mail to anyone other than the intended addressee does not constitute waiver of privilege. If you have received this communication in error, please notify me immediately and delete this. Thank you for your cooperation. This message has not been encrypted. Special arrangements can be made for encryption upon request.