Trust anchors are removed from the transitional trust bundle under
advertisement
DirectTrust Transitional Community Trust Bundle Standard Operating Procedure Change Control Date Version Description of changes 30-Jan-2014 1.4 Added requirement of all end certificates being identity proofed at a minimum of LoA 3. 6-Nov-2013 1.3 Added clause that waives the requirements of a signed federation agreement for HISPs that are DTAPP accredited. 3-Oct-2013 1.2 Updated the definition of the approval committee members to include chairs and/or co-chairs of all active DirectTrust workgroups.s Defined the deadline of anchor artifact submission for inclusion on the approval-meeting docket. Updated the timeframe for removal from the transitional bundle to align with the timeframe of DTAPP accreditation. 5-Apr-2013 1.1 Added additional submission requirements: sample end entity certificates and profile spread sheet. Clarified approval requirements by committee in terms of quorum, votes, and proxies. Added RAs to seek accreditation as a requirement for inclusion. 1-Apr-2013 1.0 DirectTrust Transitional Community Trust Bundle Published. 1 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc. 29-Mar-2013 0.2 Updated with addition inclusion requirements, anchor removed criteria, headers and footers, removal of process diagram. 18-Mar-2013 0.1 Initial draft. Scope This document defines the process for including trust anchors into the Transitional Trust Anchor Bundle. It also includes the minimum set of criteria to be included in the bundle. Value Proposition This Transitional Trust Anchor Bundle is contributed to by Health Information Service Providers (HISPs) who are either fully accredited or have reached “candidate” status of accreditation and have signed the DirectTrust Federation Agreement; and by Certificate Authorities (CAs), and Registration Authorities (RAs) who are either fully accredited or have reached “candidate” status of accreditation. Therefore, all parties contributing to this anchor bundle are engaged in the process of becoming fully accredited through the EHNAC-DirectTrust Trusted Agent Accreditation Program (DTAAP). Neither the bundle nor the included trust anchors assert full accreditation status, but they do provide a transparent view of those intending to be fully accredited during 2013. Trusted agents represented in this bundle are in a transition state en route to becoming fully accredited entities, hence the profile name “transitional”. For these reasons, this Transitional Community Trust Bundle may not meet the minimum set of trust requirements to be included in all community members’ trust stores. The intention is to provide a secure distribution mechanism for obtaining those anchors that community members wish to trust for the purpose of Directed exchange. Roles Trust Bundle Officer: Responsible for the executive decisions relating to trust bundles and trust anchors residing within a specific trust bundle. Decisions include, but are not limited to: approval of trust bundle profiles; approval of a trust anchor’s inclusion within one of more or trust bundles, and; approval of a trust anchor’s removal or suspension within one of more trust bundles. Specific executive decisions may require the concomitant approval of an appropriate DirectTrust Transitional Community Trust Bundle 2 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc. committee designated by DirectTrust. However the trust bundle officer must ultimately sign off on all decisions covered by this role. Trust Bundle Administrator: Responsible for the operational aspects of trust bundles. Responsibilities include, but are not limited to: verification of trust anchor integrity submitted by a HISP; maintaining a repository of approved trust anchors, and; generation and publication of trust bundles. The administrator is also responsible for content generation and maintenance of the trust bundle web site. Trust Anchor Approval Committee: Responsible for evaluating the compliance criteria of a HISP submitting a trust anchor to one or more trust bundles. Evaluation includes validating that a HISP and its submitted trust anchor(s) meet all of the inclusion criteria of a trust community profile. The committee is a sub-workgroup of the DirectTrust Security and Trust Compliance Workgroup, and is comprised of the DirectTrust President and CEO, and workgroup chairs/cochairs of all active DirectTrust workgroups. Referenced Documents Implementation Guide for Direct Project Trust Bundle Distribution DirecTrust Federation Agreement DirectTrust Certificate Policy Draft For Trial Use DirectTrust Certificate Policy v1.2 Definitions Term Trust Anchor Trust Community: Definition An X509 certificate that is used to validate the first certificate in a sequence of certificates. The trust anchor public key is used to verify the signature on a certificate issued by a trust anchor CA. The security of the validation process depends upon the authenticity and integrity of the trust anchor. For trust anchors included in trust bundles managed by DirectTrust, the trust anchor MUST have the basic constraint attribute set to TRUE. Trust Communities are formed by organizations electing to follow a common set of policies and processes related to health information exchange. Examples of DirectTrust Transitional Community Trust Bundle 3 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc. these policies include identity proofing policies, certificate management policies, and HIPAA compliance processes. Trust Community Profile Trust Bundle A Trust Community can create multiple sets of policies and processes and enforce these sets of policies on selected organizations that wish to voluntarily conform to them. For example, a Trust Community could create a set of policies and processes that organizations agree to conform to in Directed exchange associated with routine health care treatment use cases, a different set of policies and processes that organizations agree to conform to for Behavioral Health related use cases, and so on. These sets of policies and processes are called Trust Community Profiles. The word “Profile” indicates a distinct set of policies and processes. A collection of trust anchors that meet a common set of minimum policy requirements within a Trust Community Profile. Relying parties may include the trust anchors in the bundle into their STA implementations (trust stores) with confidence that each trust anchor adheres to the policies set by the Trust Community managing the bundle. An individual or entity that has received information that includes a Certificate and a digital signature verifiable with reference to a Public Key listed in the Relying Party Certificate, and is in a position to rely on them for the purpose of Directed exchange. Procedure Trust Anchor Inclusion The procedure for including HISP trust anchors into the trust bundle includes the following highlevel steps. 1. 2. 3. 4. 5. Trust anchor submission Trust anchor approval Handoff to trust bundle administrator Trust anchor verification Trust bundle generation and publication Step 1: Trust anchor submitted DirectTrust Transitional Community Trust Bundle 4 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc. After the Federation Agreement has been executed between a HISP and DirectTrust, the HISP submits trust anchors for inclusion into the trust bundle by sending an email to the DirectTrust admin inbox with the following attachments: Executed federation agreement (only for non DTAPP accredited HISPs) All trust anchor files o Sample end entity certificate(s) chaining to each trust anchor An example of each certificate type that will be issued by the trust anchor should be submitted. Certificates types include: Org level certs Address level certs HISP/CA/RA profile spreadsheet Alternatively, a HISP may submit trust anchor files along with the initial federation agreement submission. In this case, the DirectTrust administrator will forward the submitted trust anchor to the trust Bundle administrator who will place them in a holding location until the federation agreement is successfully executed. All required artifacts must be submitted no later than EOB two business days before the next Trust Bundle Approval Committee meeting in order to be place on the next meeting’s docket. For example, if the approval committee meets on a Thursday, all artifacts must be submitted by EOB on the Tuesday prior to the meeting. At the discretion of the approval committee, artifact corrections and/or addendums may be accepted after the submission deadline, but must be received by the committee prior to the approval committee meeting. Step 2: Trust anchor approval After the anchors have been submitted and the Federation Agreement has been executed, the HISP and the submitted anchors will be reviewed for approval by the trust anchor approval committee. The committee will evaluate the HISP and the submitted trust anchor(s) for compliance with the trust bundle profile criteria. Approval criteria consists of: The HISP, certificate authorities issuing the trust anchors, and registration authorities MUST be DirectTrust members The HISP and the DirectTrust CEO MUST have signed the Federation Agreement. o In the case of a fully accredited and audited HISP applying to have its trust anchor included in the Transitional Trust Anchor Bundle during 2013, and before the DirectTrust Transitional Community Trust Bundle 5 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc. launch of the Fully-Accredited Trust Anchor Bundle anticipated to be in January, 2014, the requirement for signing of the Federation Agreement above is waived. The HISP, the trust anchor’s certificate authority, and registration authorities used to validated identities MUST be listed as a DTAPP candidate on the EHNAC web site. Trust anchors submitted by the HISPs must adhere to the DirectTrust X.509 (CP), Draft for Trial Use, or more recent versions. o An equivalent or more comprehensive Certificate Policy may be acceptable for use, pending approval by the Trust Anchor Approval Committee. Trust anchors MUST be issued by CAs that issue certificates used in Directed exchange and chain down to end-entity certificates of that type only. All end entity certificates issued by the submitted trust anchors must be identity proofed at a minimum of LoA 3. A quorum for the purposes of the approval committee meeting consists of 50% or greater of the whole committee. Assuming a quorum is achieved, the meeting will be conducted using parliamentary procedure rules. Approval is achieved by a majority of positive votes of the members of the whole committee (or their proxies). Committee members MUST recuse themselves from voting if they affiliated with the entity that is being voted on. If a committee member is recused, the number of required positive votes for approval is not reduced. A committee member may delegate another committee member as a proxy for the purposes of anchor approval voting. A single committee member may possess two or more votes via proxy, however a single committee member may not possess a majority of votes. A delegating member assigns proxy privilege by emailing their proxy nomination to the entire committee list prior to the subsequent meeting. A proxy is only valid for the immediate subsequent meeting, and an email is required for each following meeting. Upon approval or denial by the committee, the original submitter will be sent an email indicating the results of the committee decision. For trust anchors that are denied, detailed information will be included indicating the reasons for denial. If multiple trust anchors were submitted, it is possible that some trust anchors may be approved while others are not. The approval or denial status of each trust anchor will be indicated in the status message. HISPs will be notified or their approval status within 10 business days of trust anchor submission. DirectTrust Transitional Community Trust Bundle 6 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc. Step 3: Handoff to trust bundle administrator For all trust anchors that are approved, the trust anchors are handed off to the trust bundle administrator by emailing the trust anchors to the trust bundle administrator. The administrator places the trust anchors in a holding location for verification. Step 4: Trust anchor verification Because trust anchors are submitted over a non-secure transport, out of band verification MUST be performed to ensure the integrity and validity of trust anchors. Verification is performed by the trust bundle administrator via an over the phone verification with an authoritative member of the submitting HISP. The HISP member will verify the following attributes of the trust anchor(s): Trust anchor thumbprint o Thumbprint is the thumbprint attribute of the trust anchor Trust anchor subject (distinguished name) attributes Trust anchor issuer Trust anchor valid from and valid to dates Although the trust anchor thumbprint is cryptographically sufficient for verification, the additional attributes are validated for additional assurance. If the verification process is not successful due to inconsistencies in the verified fields, the HISP will resubmit the trust anchor(s) to the trust bundle administrator and Direct Trust admin inboxes. Upon reception, the trust bundle administrator will discard the invalid trust anchor(s) and re-verify the new trust anchor(s). If the subsequent resubmission and verification are not successful, the trust bundle administrator will engage the HISP submitter directly to facilitate alternative means of trust anchor submission. Step 5: Trust bundle generation and publication Upon successful verification, the trust bundle administrator will move the trust anchor(s) into the trust bundle anchor repository location. This repository location contains a cumulative collection of all approved trust anchors in the trust bundle. DirectTrust Transitional Community Trust Bundle 7 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc. The trust anchor administrator will then generate a new trust bundle file that includes all existing and the newly approved trust anchors using the necessary tooling. The new trust bundle will use the identical file name of the existing bundle. Before the new trust bundle is published to the publicly accessible URL, the existing trust bundle will be backed up into a trust bundle archive location. After the existing trust bundle has been archived, the new trust bundle will be moved to the trust bundle publication URL. Lastly, the trust bundle details page will be updated with all required information including: HISP name Trust anchor(s) common name CA operator name RA operator name Trust anchor(s) compliance information o DirectTrust CP version compliance o CP URL and CPS URL Level of assurance for issuance Issued certificate types Indication if the trust anchor(s) is used exclusively to issue certificates to users or organizations that are part of the DirectTrust federation agreement. Trust Anchor Removal Trust anchors are removed from the transitional trust bundle under the following conditions: Upon inclusion to the accreditation trust bundle, the trust anchor is removed from the transitional trust bundle unless the trust anchor is associated with other HISPs still within the transitional trust bundle. If the HISP, CA, and/or RA do not complete their DTAPP accreditation within the timeframe defined by the DTAPP accreditation process, then the trust anchor is removed from the transitional trust bundle unless the trust anchor is associated with other HISPs still within the transitional trust bundle. In all cases, the HISP and its trust anchor are removed from the transitional trust bundle details page. DirectTrust Transitional Community Trust Bundle 8 April 1, 2013 Copyright Notice: This document and its contents are the property of DirectTrust.org, Inc. protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published or broadcast for commercial use without the prior written permission of DirectTrust.org., Inc.
