Note this is a PROPOSED agenda --- have not reviewed with Brian! So we may adjust in "real time" ....

• (Brian) Review discussion of and any updates to "Minimum Threshold"
• (Team reps for SMTP/REST/IHE) Quick updates, where do you expect to be on Thursday
• (Sean) Introduce proposal for new NHIN-D Security & Trust Agent project ([1]) ... Discuss
• (Sean + Roundtable) How do we want to use our 45 minutes live on Thursday?

Expected Outcomes:

• Close on Minimum Threshold to present on Thursday
• General idea of presentation
• Assignments for specific presentation pieces

Notes from the Concrete Implementation Workgroup

Status of Notes: DRAFT
Date: May 4, 2010
Time: 12pm-1pm
Attendees Arien Malec, Honora Burnett, Sean Nolan, Rob Wilmot & David McCallie, Karen Witting, Mark Stine, Umesh Madan, Brett Peterson, Ravi Madduri , Vassil Peytchev , Lin Wan, Matt Potter &
Nageshwara Bashyam

Actions for this Week:

#	Date	Action	Status	Owner	Due Date
8	5/4/10	Sean will post a skeleton outline on the Wiki for the NHIN Direct Slides and ask people to contribute	Open	Sean	5/12/10
9	5/4/10	Group will track the notion of multiple addresses – take this to the User Story	Open	Group	5/12/10
10	5/4/10	Vassil will put some feedback on the challenges of SMIME on the Wiki	Open	Vassil	5/12/10
11	5/4/10	Brief the S&T WG on security and trust issues related to concrete implementation	Open	Arien	5/12/10
12	5/4/10	Dragon will get XMPP code into source code	Open	Dragon	5/12/10

Actions from Last Week:

#	Date	Action	Status	Owner	Due Date
5	4/27/10	Brian and Sean will report to implementation group later in day to call for champions and call for broader participation	Closed	Brian and Sean	5/4/10
6	4/27/10	Brian and Sean will publish timeline to wiki	Closed	Brian and Sean	5/4/10
7	4/27/10	Brian will start a thread to continue conversation about “minimum threshold” criteria on Wiki, all WG members are expected to continue	Closed	Brian & WG	5/4/10

Decisions from Last Week:

#	Date	Action
2	4/27/10	Will use working code and concrete pieces
3	4/27/10	Will have a single concrete implementation for the pilot (SMTP or another)
4	4/27/10	We will create three concrete implementation pages and do calls for sign-up and participation for each.

Agenda

• (Brian) Review discussion of and any updates to "Minimum Threshold"
• (Team reps for SMTP/REST/IHE) Quick updates, where do you expect to be on Thursday
• (Sean) Introduce proposal for new NHIN-D Security & Trust Agent project ([2]) ... Discuss
• (Sean + Roundtable) How do we want to use our 45 minutes live on Thursday?

• Expected Outcomes:
  • Close on Minimum Threshold to present on Thursday
  • General idea of presentation
  • Assignments for specific presentation pieces
  • Action for face to face

Notes

• Update from the three team – Progress? On the right tack?
  • SMTP
    • TLS based instance Amazon EZ2 running postfix
    • Finger prints, to create a white list
  • REST
    • Chris is the first person to contribute real working code
    • Java standpoint – simple
    • 150 lines of code
    • Learned that the REST spec itself needs some work
    • Implemented the GET
  • SOAP/IHE
    • Demo
    • Dragon gave update
    • Dragon will get XMPP code into source code
• How do you ensure that two people are in the trust network?
  • Exchange agents
  • Doesn’t seem right that we are having this conversation about transport
  • How can we manage signatures/descriptions
  • Assumption: consensus around payload being a MIME based payload
  • SMIME sits on top of this, and manages trust, signatures and encryption
  • Build something between these
    • Do some interesting decoupling
    • Built out pseudo code – new project NHIN agent
    • Link: [3]
    • By end of week we can have a working model
  • Context from Brett Peterson
    • As we start managing health domain names
    • SNI
    • If we could get to TLS with Mutual Authorization, then we have a mutual model for trust assurance
    • HTTP – Arien has another proposal for a REST spec, but not a SOAP spec
    • Receiver and sender have mutual assurance
      • Concerns with SMIME – how does it get mutual trust
      • There is a mutual assurance in the code

Comment from David McCallie

• Appreciates the orthogonal layer
• Keep beating drum of simplicity – false assumption is simplest assumption
• SMTP-SMTP – mutual trust
• Certs issued by designated group of agencies
• Null hypothesis: mutual TLS expressing trust assertions at the HISP level

Comment from Brett Peterson

• How do we route from addresses that won’t be HISPs but will be individual oriented
• Is a HISP a cert? Does this give you the trust you need?
• HISP would be taking a lot of responsibility for this
• If we can’t “white list” other HISPs
• Brief the S&T WG on security and trust issues related to concrete implementation

Comment from Vassil Peytchev

• Concerns about SMIME
• Security & Trust WG need to resolve encryption of payload
• Arien agrees, the process here should be concrete implementation tries to run down a path, hits issues and then kicks to S&T
• What level of trust do we want to inject into the system
• Within our charter: where and how to encrypt payloads

Comment from Lin Wan

• Payload is signed / encrypted?
• How does it interact with SOAP?

• Have requirement for S&T and then map to security
• REST/SOAP but not XDR Layer
• Vassil will put some feedback on the challenges of SMIME on the Wiki
• Layer between
• Outbound: message sent from client would be packaged and set encrypted
• Inbound: message arrived and needs to be decrypted
• Asymmetric key
  • Before I send I verify the two addresses such that a recipient can’t even route without knowing their private key
  • As a recipient, can’t see/verify senders private key
• SASL allows TLS as one of its layers – and can do mutual, but maybe at one cert/I{ address

Comment from David McCallie

• Group will track the notion of multiple addresses – take this to the User Story
  • Happens with nursing homes
  • Sean will post a skeleton outline on the Wiki for the NHIN Direct Slides and ask people to contribute
  • Sean will have a template up on the Wiki for everyone to comment on