NHIN Overview - Direct Project

Report
Direct Project
Direct + Policy Enablement
Overview
•
•
•
•
•
Policy Role In Direct
Policy Enablement
Security and Trust Support
Architecture
Tool Demo
Policy Role In Direct
• Scalable Trust
• Philosophy for enabling Direct exchange between a large number
of endpoints
• Policy first class citizen in scalable trust
• Mitigates policy variance
• Proposed Policy Requirements
• Federal Community Requirements
• Governance
• Trust Bundles
• Technical solution to scalable trust
• Bundle profiles define policy requirements
• Only define and attest policy compliance
• Can not assert and enforce policy
• Bundles alone are not enough
Policy Enablement
• Facilitate Policy Decisions at Runtime
• Systemic assertion of policy profile compliance
• Direct 2.0 vs Policy Enablement
• 2.0 may imply specification changes
• Potential compatibility issues
• Policy enablement requires no specification changes
• Optional module
• Backward compatible at transport
Security and Trust Support
• Modular Components
• Encryption
• Signature
• Cert Discovery
• Trust Chaining
• Current Policy Ability
• Simple binary trust decision based on certificate chain validation
Security and Trust Support
Current State – Outgoing Message
• Certificate Store
• Dual Use Certificates
• Private Resolver
• All non-expired
• All non-revoked
• Public Resolver
• All non-expired
• All non-revoked
• Trust
• Chain to trust anchor
Security and Trust Support
Current State – Incoming Message
• Certificate Store
• Dual Use Certificates
• Private Resolver
• All non-expired
• All non-revoked
• Verification
• Message integrity
• Trust
• Chain to trust anchor
Security and Trust Support
• Optional Policy Enablement Module
• Policy implemented as filters
• Injected into security and trust process
• Private Certificate Resolution
• Public Certificate Resolution
• Trust Chain Validation
• Configurable Granularity
• Message Direction
• Message Source
• Message Destination
• Circles of Trust
• Can be applied to DNS or LDAP hosting
• Defined Policy Best Practices
Security and Trust Support
Policy Enabled State – Outgoing Message
• Certificate Store
• Dual Use or Single Use
Certificates
• Private Resolver
• All non-expired
• All non-revoked
• Public Resolver
• All non-expired
• All non-revoked
• Trust
• Chain to trust anchor
• Policy Filter
• Filter certs that meet
configured criteria
Security and Trust Support
Policy Enabled State – Incoming Message
• Certificate Store
• Dual Use or Single Use
Certificates
• Private Resolver
• All non-expired
• All non-revoked
• Public Resolver
• All non-expired
• All non-revoked
• Verification
• Message integrity
• Policy Filter
• Filter certs that meet
configured criteria
Architecture
• Policy Engine (direct-policy.jar)
• Policy defined in lexicon specific
language
• Definition + X509 Certificate
processed by engine
• Engine evaluates boolean value to
indicate certificate compliance with
policy
• Policy filter equates to policy engine
process in security and trust agent
Policy Definition
X509 Cert
Policy Engine
Lexicon Parser
Intermediate State
Compiler
Opcodes
Executor
Boolean Decision
Policy Engine Use Cases
• Build Policy Definitions
• Tooling to build definition file
• Policy filters in security and trust agent
• Out of band policy validation
• Trust bundle profile validation for anchors
• End entity certificate validation to CP or CPS
Release Schedule
• Q2 2013
• Policy Engine
• Security and Trust Agent
• Configuration Service
• Command Line Import and Configuration of Definitions
• Gateway
• Policy Validator
• Summer/Early Fall 2013
• Visual Policy Builders
• Config-UI integration
• Java RI 3.0 to include Q2 2013 release components
For More Information
•
Direct + Policy Proposal: http://wiki.directproject.org/file/detail/Direct+%2B+Policy+Enablement.docx
•
Scalable Trust Forum: http://wiki.directproject.org/Direct+Scalable+Trust+Forum
•
Scalable Trust Summary: http://www.healthit.gov/sites/default/files/direct-scalable-trust-forumsummary-of-findings-report.pdf
•
Direct Trust Bundle Workgroup: http://wiki.directproject.org/Trust+Bundle+Sub+Work+Group
•
Scalable Trust Story: https://secure.bluebuttontrust.org
Policy Validation Tool Demo
DEMO!!

similar documents