Trust Bundle Technical Approach Discussion

From Direct Project
Jump to navigation Jump to search
This wiki page is to facilitate the discussion of the Trust Bundle distribution technical approach which will be used in different contexts as identified by the user stories. The technical approach will guide the creation of the implementation guide for Trust Bundle distribution.

Trust Bundle Actors and Transactions

The key actors and transactions for the technical approach are outlined in the diagram below:

Trust Bundle Context.jpg

Technical Approach Discussion Topics


The following are discussion topics related to the standards, protocols and content. The initial thoughts are based on work performed in the ABBI initiative and the Implementation Guide straw man that was circulated.


Discussion Topic
 Initial Thoughts
 SWG Comments
Distribution via Query / Retrieve protocols v/s Push
 Query/Retrieve is being discussed in ABBI as the solution. This allows the requestor to download the trust bundle based on their local policies as needed and keep it updated.
Type of data (payload) that is being downloaded
 No PII or PHI, the data (payload) essentially is a list of public keys.
Transport protocol

HTTP – Provides the required query/response capability and can be secured as required for the use case.
RFC2616
Transport Security (Message Integrity and Confidentiality in Transit)

TLS 1.0 provides the necessary message integrity and confidentiality in transit as required for the use case.
RFC2246
Authentication
 TLS Server Authentication is sufficient for the use case. Requestors are not authenticated during the transactions. (No TLS client authentication). This essentially amounts to 1 way TLS.
Request / Response
 Should we use a RESTful interface with the resource being the Trust Bundle
<TrustOrganization>/BasicTrustBundle ?

Potentially new types of resources could be added to indicate other types of Trust Bundles like Behavioral Health Trust Bundle etc..?
Trust Bundle Payload and packaging

PKCS#7 Signed Data or Unsigned Data – Provides a standard way to package the trust anchors. This is specified in RFC 5652.
Incremental Updates v/s Complete Bundle as payload in each response
 Do we need to consider incremental updates in the Response and indicate it accordingly or should we start with “Complete Trust Bundle package download” on each request and refine it later as we get further along.




Implementation Guide

The latest and current implementation guide based on the initial draft by Greg Meyer.
Retrieved from "https://directproject.mywikis.wiki/w139/index.php?title=Trust_Bundle_Technical_Approach_Discussion&oldid=810"