This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 14, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by 2 users not shown)
Line 58: Line 58:
 
# ''(2 min)'' '''Roll Call, Agenda Approval'''  
 
# ''(2 min)'' '''Roll Call, Agenda Approval'''  
 
# ''(2 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=March_7,_2017_Security_Conference_Call Security WG Call Minutes March 7, 2017]'''  
 
# ''(2 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=March_7,_2017_Security_Conference_Call Security WG Call Minutes March 7, 2017]'''  
# ''(40 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20Model%20Diagrams/PSAF%20Jan%202017%20Ballot/V3_PSAF_R1_I1_2017JAN_amalgamated.xls TF4FA Ballot Reconciliation Spreadsheet Disposition Review] and http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20Jan%202017/HL7%20PSAF%20Trust%20Framework%20for%20Federated%20Authorization%202017JAN%20Ballot%20Comment%20Errata%20360.doc current TF4FA with some of the Comments with typo Errata]
+
# ''(40 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20Model%20Diagrams/PSAF%20Jan%202017%20Ballot/V3_PSAF_R1_I1_2017JAN_amalgamated.xls TF4FA Ballot Reconciliation Spreadsheet Disposition Review] and [http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20Jan%202017/HL7%20PSAF%20Trust%20Framework%20for%20Federated%20Authorization%202017JAN%20Ballot%20Comment%20Errata%20360.doc current TF4FA with some of the Comments with typo Errata]
 
# ''(5 min)'' '''Review any Security WG comments on ONC-sponsored: [http://www.hl7.org/documentcenter/public_temp_3D787BC5-1C23-BA17-0CF1FA12501D074B/wg/mobile/HL7%20WGM%20PGHD%20Update_Jan2017.pdf PGHD Overview] and [https://docs.google.com/document/d/1wwCbNRLVNqrZc0TkPGAprqjRdQs2L061JUvjDf5E4uw/edit?usp=sharing Google Document version for inline comments] [https://www.google.com/url?q=https%3A%2F%2Ffpf.org%2Fwp-content%2Fuploads%2F2015%2F10%2FCEA-Guiding-Principles-on-the-Privacy-and-Security-of-Personal-Wellness-Data-102215.pdf Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data] Comment deadline Moved to March 10th. Diana to present comments collected to date for approval.
 
# ''(5 min)'' '''Review any Security WG comments on ONC-sponsored: [http://www.hl7.org/documentcenter/public_temp_3D787BC5-1C23-BA17-0CF1FA12501D074B/wg/mobile/HL7%20WGM%20PGHD%20Update_Jan2017.pdf PGHD Overview] and [https://docs.google.com/document/d/1wwCbNRLVNqrZc0TkPGAprqjRdQs2L061JUvjDf5E4uw/edit?usp=sharing Google Document version for inline comments] [https://www.google.com/url?q=https%3A%2F%2Ffpf.org%2Fwp-content%2Fuploads%2F2015%2F10%2FCEA-Guiding-Principles-on-the-Privacy-and-Security-of-Personal-Wellness-Data-102215.pdf Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data] Comment deadline Moved to March 10th. Diana to present comments collected to date for approval.
 
# '' (2 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20WG%20Administrative%20Documents/Security%20Project%20Scope%20Statements/HL7%20Project%20%20Scope%20Statement%20Medical%20Device%20Security.doc Project Scope Statement - Medical Devices Security] - deferring follow up of outreach to Medical Device WG until ballot recons are completed'''- Kathleen
 
# '' (2 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20WG%20Administrative%20Documents/Security%20Project%20Scope%20Statements/HL7%20Project%20%20Scope%20Statement%20Medical%20Device%20Security.doc Project Scope Statement - Medical Devices Security] - deferring follow up of outreach to Medical Device WG until ballot recons are completed'''- Kathleen
Line 66: Line 66:
  
 
=='''Minutes'''==
 
=='''Minutes'''==
* Chaired by   
+
* Chaired by  Kathleen
 
* Agenda Approved
 
* Agenda Approved
 +
* Review and Approval of Security WG Call Minutes March 7, 2017 (Defered to next call)
 +
* TF4FA Ballot Reconciliation Spreadsheet Disposition Review and current TF4FA with some of the Comments with typo Errata
 +
** Motion approved on Block Vote for Comments made by David and Ioanna's (Beth, Diana, Donna)
 +
** Ioanna's Block comment 69-75 are approved 
 +
** Comments were emailed out to group  to ballot in May 2017
 +
** Johns comments and concerns Reviewed:
 +
** The Difference between Concrete and Abstract on Security labels
 +
** Diagram on Token Exchange
 +
** John provided further explanation: When we are in a portion of describing abstract we should remain consistent and not include specific technology specific information
 +
**  There other ways to describe negotiation
 +
** Too much context was described for security tokens which would force it to be platform specific on using eg: XAML
 +
** Kathleen comment: I do not see anything specific, we should revisit this topic to verify if it is platform specific
 +
** Next Step: David will verify if the references are platform specific definition 
 +
* Johns comment/issue:
 +
** What is the difference between Run time vs Trust Model Application accepting Requests
 +
** Is this intended to be done as an approach to building a persistent trust framework between organization 
 +
** Or;  is it intended to be done transaction by transaction basis? 
 +
** Kathleen response: Volume will highlight the different type of behaviors
 +
** Glen Comment: HL7 has been using stateless protocols, there will be no persistence across transactions
 +
** Next Step: Should be made clear in Volume 2
 +
** John requests it to be addressed
 +
* Johns request: Only creating a Trust Domain, interoprability defines the way to create the Trust Framework
 +
** Kathleen's response: One meaning is exchanging the policies in Federated Trust Framework
 +
** (Persuasive with Mod) - Differentiate the representation of policies vs interoparability exchange
 +
* Comment: Assumptions should include code set of services implementation and not be more abstract
 +
*** eg: In the Spec everyone should see the Code set for example is normal
 +
** Codes used for roles and sensativity tagging
 +
** eg: Data Services Agreement is an instance of concrete example
 +
** Next step: David to update Terminology of Use of Content
 +
* Comment: To spell out DRSA acronym as it is not commonly used
 +
** (Persuasive)
 +
** Comment: Claim vs Identity Attributes
 +
** (Persuasive)
 +
** Comment: Claim attributes should describe identity, does not go into detail authentication
 +
* (Non-persuasive with Mod)
 +
** Motion to approve disposition ( Diana, John)
 +
 +
** Call ended
 +
* Review any Security WG comments on ONC-sponsored: PGHD Overview and Google Document version for inline comments Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data Comment deadline Moved to March 10th. Diana to present comments collected to date for approval.
 +
* Project Scope Statement - Medical Devices Security - deferring follow up of outreach to Medical Device WG until ballot recons are completed- Kathleen
 +
* [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diana
 +
* Security Labeling Service Revision Update - Diana
 +
* FHIR AuditEvent and Provenance ballot comments & FHIR Security Call - cancelled.

Latest revision as of 19:08, 21 March 2017

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (2 min) Review and Approval of Security WG Call Minutes March 7, 2017
  3. (40 min) TF4FA Ballot Reconciliation Spreadsheet Disposition Review and current TF4FA with some of the Comments with typo Errata
  4. (5 min) Review any Security WG comments on ONC-sponsored: PGHD Overview and Google Document version for inline comments Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data Comment deadline Moved to March 10th. Diana to present comments collected to date for approval.
  5. (2 min) Project Scope Statement - Medical Devices Security - deferring follow up of outreach to Medical Device WG until ballot recons are completed- Kathleen
  6. (2 min) [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diana
  7. (2 min) Security Labeling Service Revision Update - Diana
  8. (2 min) FHIR AuditEvent and Provenance ballot comments & FHIR Security Call - cancelled.

Minutes

  • Chaired by Kathleen
  • Agenda Approved
  • Review and Approval of Security WG Call Minutes March 7, 2017 (Defered to next call)
  • TF4FA Ballot Reconciliation Spreadsheet Disposition Review and current TF4FA with some of the Comments with typo Errata
    • Motion approved on Block Vote for Comments made by David and Ioanna's (Beth, Diana, Donna)
    • Ioanna's Block comment 69-75 are approved
    • Comments were emailed out to group to ballot in May 2017
    • Johns comments and concerns Reviewed:
    • The Difference between Concrete and Abstract on Security labels
    • Diagram on Token Exchange
    • John provided further explanation: When we are in a portion of describing abstract we should remain consistent and not include specific technology specific information
    • There other ways to describe negotiation
    • Too much context was described for security tokens which would force it to be platform specific on using eg: XAML
    • Kathleen comment: I do not see anything specific, we should revisit this topic to verify if it is platform specific
    • Next Step: David will verify if the references are platform specific definition
  • Johns comment/issue:
    • What is the difference between Run time vs Trust Model Application accepting Requests
    • Is this intended to be done as an approach to building a persistent trust framework between organization
    • Or; is it intended to be done transaction by transaction basis?
    • Kathleen response: Volume will highlight the different type of behaviors
    • Glen Comment: HL7 has been using stateless protocols, there will be no persistence across transactions
    • Next Step: Should be made clear in Volume 2
    • John requests it to be addressed
  • Johns request: Only creating a Trust Domain, interoprability defines the way to create the Trust Framework
    • Kathleen's response: One meaning is exchanging the policies in Federated Trust Framework
    • (Persuasive with Mod) - Differentiate the representation of policies vs interoparability exchange
  • Comment: Assumptions should include code set of services implementation and not be more abstract
      • eg: In the Spec everyone should see the Code set for example is normal
    • Codes used for roles and sensativity tagging
    • eg: Data Services Agreement is an instance of concrete example
    • Next step: David to update Terminology of Use of Content
  • Comment: To spell out DRSA acronym as it is not commonly used
    • (Persuasive)
    • Comment: Claim vs Identity Attributes
    • (Persuasive)
    • Comment: Claim attributes should describe identity, does not go into detail authentication
  • (Non-persuasive with Mod)
    • Motion to approve disposition ( Diana, John)
    • Call ended
  • Review any Security WG comments on ONC-sponsored: PGHD Overview and Google Document version for inline comments Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data Comment deadline Moved to March 10th. Diana to present comments collected to date for approval.
  • Project Scope Statement - Medical Devices Security - deferring follow up of outreach to Medical Device WG until ballot recons are completed- Kathleen
  • [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diana
  • Security Labeling Service Revision Update - Diana
  • FHIR AuditEvent and Provenance ballot comments & FHIR Security Call - cancelled.