Issue 49 in direct-certificate-discovery-tool: Documentation Concerns

[direct-certifica...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 49 by gan...@glenwoodsystems.com: Documentation Concerns
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=49

1. In your documentation creating certificates are using Java GUI program.
For OVA deployment we are unable follow the guide using command line only.
2. It explains LDAP deployment but not DNS based deployment
3. Many DNS server including Microsoft DNS Server, GoDaddy Premium DNS
doesnt support CERT record as it is. But they do support TXT record. We do
not have documentation, since it says out of scope.
4. Forcing Windows based shops to use Linux applications. Yet no
documentation.
5. Still the concept is not clearly defined, very vague. Need a clear
technical implementation illustration how one EMR sends a message to
another EMR and who are the intermediates and what are the rolls and
responsibilities of each party/module/application, and what information has
to be exchanged ahead of time to make a person or application as a
recipient.

Footnote:
In addition for the sake of certification what are the real time benefits
and complications for an EMR vendor using this protocol since HIEs are
being promoted big time by all players.

[direct-certifica...@googlecode.com]

Comment #1 on issue 49 by edward.o...@nitorgroup.com: Documentation Concerns
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=49

(Many of these are big-picture questions/discussions as opposed to discrete
issues/bugs in the tool. I'm going to give my 2-cents as a Direct community
participant and one of the current contributors to this tool - but I think
we're going to pass you to a bigger-picture group.)

Will try to answer each of these in order - but we will probably want to
separate them out into individual issues if/as each one has its own
conversation:

1) That's correct. To create certificates we utilize the Direct Project's
Java RI certificate creation program (there is also a GUI to the LDAP
package we used). We packaged the VM headless, but then directed installers
to use x11 forwarding via section 2.8 of the install documentation:
http://code.google.com/p/direct-certificate-discovery-tool/wiki/VMInstall.
This was by design (since the configuration is front-loaded, we felt that
keeping the VM small (pro) outweighed the con of having installers do x11
forwarding to hit the GUI aspects.

2) I believe we drilled into LDAP deployment because the LDAP server is not
packaged with the Direct Project's RI (like DNS is). We deliberately tried
not to duplicate the Direct Project's Java RI's documentation - but be
aware: if you are hitting the Java RI via our tool for the first time --
there is an extra learning curve for you (we have links to the Direct
Project wiki - and can point you more specifically to their Java RI content
and working group if needed).

3) There is other documentation floating around on how to use other DNS
methods with the Java RI, which other folks participating in this project
might help you with (Michal?) - but our tool assumes (and recommends) you
deploy the RI with the packaged DNS service as-is. Again, if this is your
first exposure to the Java RI -- you've got a lift to do in order to setup
the foundation for the tool.

4) The tool is Linux-based for sure. If you have issues with the Linux
documentation, please let us know -- but our documentation assumes basic
Linux sys-admin skills (whether from within a shop that is primarily
windows based -- such as using something like putty to x11 to a linux vm --
or command-line control of the linux vm). I will escalate the concern with
Windows compatibility to ONC/NIST -- but as I understand, most/many of the
tools involved in MU2 including the big ones like the Transport Test Tool
(based on the XDS Toolkit) will put you in a similar boat.

5) Our test tool deliberately has no concept of how you've implemented
Direct. We don't care (and aren't allowed to care). We specifically are
verifying that your System Under Test (SUT) is both hosting and can
discovery certificates in a conformant way to the specification. Your
question seems to be looking for additional information on how Direct works
in general - I would suggest you head to the Direct Project wiki or web
page: http://wiki.directproject.org/, http://directproject.org/. Our test
tool is a relatively small area of the overall Direct universe that we're
testing explicitly -- your question is really asking about the big picture.

Footnote: This is another big-picture question. You're asking why an
EMR/EHR vendor would bother with Direct vs. HIEs (though note that assuming
HIEs are not going to be using Direct is a fallacy). I can't speak to that.
The job of this tool is to verify conformance of SUTs for Direct
certificate discovery/hosting - the question of whether/why you should be
using Direct (or even the cert discovery portion in particular) is not on
our plate.

Sorry to push back on almost all your issues - I hate it when that happens
to me. In summary, what I'm hearing is:

- What the heck? What's all this linux stuff, what about the ton of people
that use Windows?

- Why do we have to use Direct in the first place, and how exactly does it
work?

These are good questions, and I've escalated both to ONC/NIST as
higher-level concerns. I think we could help you by creating a windows
version of the tool and by adding additional educational material on Direct
-- but the former is not funded and the latter belongs somewhere else.

[direct-certifica...@googlecode.com]

Updates:
Labels: Component-Docs

Comment #3 on issue 49 by michal.k...@esacinc.com: Documentation Concerns
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=49

(No comment was entered for this change.)

[direct-certifica...@googlecode.com]

Updates:
Status: Started
Labels: -Priority-Medium Priority-Low

Comment #4 on issue 49 by michal.k...@esacinc.com: Documentation Concerns
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=49

Here are my responses:

1. I finished implementing a command line certificate/key/keystore
generator earlier this morning (only in the trunk for now, revision 446).

2. Agreed. The documentation needs a major overhaul.

3. You must use a DNS server with CERT record functionality (no way around
it). Aside from the Java-based DNS server that comes with the Direct Java
RI, I've only ever successfully used BIND9 (on Linux) with Direct.

4. Although neither DCDT, the Direct RI, Tomcat, nor ApacheDS are
platform-specific, the ease of development, deployment, and maintenance,
Linux is considerably easier for all parties involved. I am currently
working on thoroughly revising and cleaning up the build procedures and
documentation. I am striving to reduce the process down to copy-pasting a
~page length of commands into a terminal.

5. As Ed mentioned, there is considerable documentation available on the
Direct project's main site. For more technical information, I would suggest
looking through the generated API sites for the Direct Java RI
(http://api.nhindirect.org/java/site/ - pick the newest version of each
module).