HIMSIG20080711
Liberty Alliance Project
HIM SIG
Teleconference Meeting Minutes
July 11, 2008
11:00 a.m.-12 Noon EDT
Author: Kurt Kolok
Attendance:
Jim Gross, WellsSecure
John Fraser Mednet
Pete Palmer, Wells Fargo
Rick Moore, eHealth OHIO
Bob Pinheiro, Independent Contributor
John Stumaker, ?
Paul Godfried, SCIC
John Practer, ?
Tim Reineger, National Notary Association
Agenda:
1. Rick Moore: HITSP update
2. Jim Gross, Vice President of WellsSecure, will be joining us on the call to discuss the Liberty Identity Assurance Framework and its relationship to health identity management.
1. Rick Moore: HITSP update
Rick is taking the lead re: IAF becoming a standard of HITSP. HITSP is a stand-alone organization which they are trying to privatize. DCHIT (HIMMS has a contract to do certification of vendors who claim to be HITSP compliant). LAP IAF should be the trust standard (IDPs would be certified).
Rick: The Secretary of Health and Human Services (ONC) of the nationwide health information network. AHIC has come up with use cases important for flow of information in health information technology. They passed those to HITSP and HITSP has broken use cases out into flows, individual components and transactions/transaction protocols that are being focused on in technical committees. They are reconciling anything that does not work between the standards (IHE, Liberty, etc…). They come up with a tested document which is published for a public comment/acceptance period (approved by AHIC & ONC and codified by the Secretary of Health and Human Services).
Standards can only be meaningful if there are use cases (looking specifically at standards for policy attribute services). If we do not put this into the process now it becomes difficult to amend the standards.
2. Jim Gross, Vice President of WellsSecure, will be joining us on the call to discuss the Liberty Identity Assurance Framework and its relationship to health identity management.
Jim Gross (VP of WellsSecure). The year three initiative did not have sufficient resources. A focus of EAP fits into the expanded mission of LAP. Most people see LAP as solely dealing with SAML, but 2 or 3 yrs ago LAP decided not to focus solely on authentication elements (the EAP work began coming into Liberty). During the first year under LAP, an expert group was created (IAEG) as well as the IA SIG.
Note: A review of discussion-related powerpoint slides has been sent to the mail list: LAP-run SAML standards are certified for about a year run and are providing a better degree of interoperability.
Token necklace=massive lanyards of smart cards.
Slide 10: eAuthentication federation was not mentioned although there is a companion effort in the aerospace industry. The business environment was founded on business processes/names. Certipath reaches out to contractors, etc… There are three primary players in the Certipath world. In a federation represented by a bridge there are assurance guidelines and assurance principles so there could be a master business point across bridges providing a large identity structure. The biopharmaceutical industry recognizes that they have to interact with federal agencies, which creates a template to allow bridges to move more easily.
There are two primary deliverables:
1: levels of assurance
2: assessment criteria
The genesis of IAEG goes back to the federal government (the slides include some references to this). Following 9/11 there was recognition that there were stovepipe ….????.... . There are four levels of identity assurance (these are a reference point for further government work in the space). Level 3 is substantial assurance and level 4 is top level. A major component for the government is Dept. of Defense work.
Slide 13: NIST work re: types of/levels of assurance.
Bob: re: examples of different assurance levels—levels 1, 2, 3 seem to be consumer applications whereas level 4 seems to be a business application. From a banking point of view, would online payment or moving money online be level 3 or level 4?
There has not been work tying financial services to these levels of assurance. Level 3 would be associated with at least a higher level of funds movement while level 2 would give online access to financial transactions. This would not be a formal statement, rather a use case.
Bob: IAF needs to look at different applications and their assurance levels. This has not yet taken place within any particular industry.
Follow on: there will need to be guidance to relying parties.
DEA prescribing of ???? …substances? We do not have specific information on that at this time. As a federal agency they have access and would probably use what made sense to them. Not familiar with what their policy may be.
What level of assurance can be used with what application? There are hundreds of thousands of applications and people can have several identities. Most of the focus is on the Identity theft area. At some point the focus will have to turn to Relying Parties. A descriptive approach would define guidelines.
Does Token imply 2 factor? Not necessarily. In the SAML world a SAML assertion is frequently defined as a token. 863 has gone through a ??? cycle to clarify this space.
In the NIST definition of multi factor authentication—is level 2 supposed to be single or multi factored? NIST did not originally use the term “multi factor”. Clarification is expected with the deliverable in August.
Level 3 is multi factor with cryptographic but level two is not. Jim will be pushing to express privacy of identity (he will continue throwing additional resources for/providing additional layers of authentication against business problems).
DEA announced a proposed role that identifies the need for a level 4 assurance (hey want to make sure it does not become extremely difficult to collect evidence).
In financial services we should look more at positive deterrents to unfortunate events.
v1.02 of the trust framework was posted for public comment a couple of months ago and is in final form and the framework is in place. Follow up work is needed re: how they want to assign assurance levels.
Certification model is the most intense focus right now. Work is under way to develop a process whereby assessors themselves are certified and in place so credential SPs can come to market with a statement of certification with the trust market. T-Scheme is a European identity federation model that is active in the IAEG. TSCP is a reference to earlier work (a set of secure identity email services managing standardization of secure email).
Liberty would be the certifying authority.
Meeting Adjourned
