This wiki has undergone a migration to Confluence found Here
Difference between revisions of "March 6, 2018 PSAF Call"
Jump to navigation
Jump to search
Line 55: | Line 55: | ||
==Minutes== | ==Minutes== | ||
*Chris chaired. | *Chris chaired. | ||
− | *Minutes were reviewed. | + | *Agenda approved. |
− | + | *Minutes were reviewed. Kathleen moved to approve. Beth seconded. approved 5-0-0 | |
+ | *Mike walked through several updated models noting that these reflect the focus change to exclude the access control components of the foundational PMAC and DAM models. | ||
+ | *Mike showed the group the Trust Context Model, which simplifies previous TF4FAby making the initiating Domain's (Domain A) trust proposal dependent on the recipient Domain's (Domain B) approval. If Domain A's proposal meets or exceeds Domain B's trust policies, then Domain B countersigns Domain A's proposal thereby executing a trust contract. If Domain A's trust proposal does not meet Domain B's trust policies, Domain B can decline the proposal or offer suggested "trust elevation" policies to bring Domain B into conformance to some extent, even if the result is that Domain A is not able to access all of the information it requested or with the same handling instructions. Domain A may counter with a new proposal, and this interaction continues until either B executes an agreed to trust contract or either drops out of the negotiations. | ||
+ | * Mike showed how trust policies may include specializations as security and privacy policies, and that these policies may have either one or a combination of jurisdictional, organizational, and subject of care policies. | ||
+ | *Mike described the underlying authorization policies as having one or a combination of access control schemes as required by the recipient Domain, including RBAC, ABAC< ACL, ReBAC among others. There is a March Harmonization proposal to bring Authorization and access control scheme policies into HL7 vocabulary. | ||
+ | |||
=='''Meeting Materials'''== | =='''Meeting Materials'''== | ||
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/Ballotcomments_V3_PSAF_R1_I2_2017MAY%20Amalgamated%20Jan%2023%202018%20final.xls HL7 TF4FA May Ballot Reconciliation Spreadsheet] *[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202017/V3%20PSAF%20Chap%202%20TF4FA%20Vol%201%20Conceptual%20Model.pdf V3 PSAF Chap 2 TF4FA Vol 1 Conceptual Model] | *[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/Ballotcomments_V3_PSAF_R1_I2_2017MAY%20Amalgamated%20Jan%2023%202018%20final.xls HL7 TF4FA May Ballot Reconciliation Spreadsheet] *[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202017/V3%20PSAF%20Chap%202%20TF4FA%20Vol%201%20Conceptual%20Model.pdf V3 PSAF Chap 2 TF4FA Vol 1 Conceptual Model] | ||
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202017/V3%20PSAF%20Chap%202%20TF4FA%20Vol%202%20Behavioral%20Model.pdf V3 PSAF Chap 2 TF4FA Vol 2 Behavioral Model] | *[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202017/V3%20PSAF%20Chap%202%20TF4FA%20Vol%202%20Behavioral%20Model.pdf V3 PSAF Chap 2 TF4FA Vol 2 Behavioral Model] | ||
*[http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF) PSAF wiki home page for the HL7 Security WG] | *[http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF) PSAF wiki home page for the HL7 Security WG] |
Revision as of 07:30, 13 March 2018
Contents
Attendees
. | Member Name | . | Member Name | . | Member Name | . | Member Name | |||
---|---|---|---|---|---|---|---|---|---|---|
. | John Moehrke Security Co-chair | x | Kathleen Connor Security Co-chair | . | Alexander Mense Security Co-chair | . | Trish Williams Security Co-chair | |||
x | Christopher Shawn] Security Co-chair | x | Suzanne Gonzales-Webb | x | Mike Davis | . | David Staggs | |||
. | Mohammed Jafari | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
x | Diana Proud-Madruga | x | Francsico Jauregui | . | Joe Lamy | . | Galen Mulrooney | |||
. | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
. | Ken Salyards | . | Jim Kretz | . | Gary Dickinson | x | Dave Silver | |||
. | Oliver Lawless | . | [1] | . | David Tao | x | Greg Linden |
Agenda
- (3 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of the Feb. 27th Minutes
- (50 min) TF4FA Ballot Work Session - Mike Davis and Chris Shawn
Minutes
- Chris chaired.
- Agenda approved.
- Minutes were reviewed. Kathleen moved to approve. Beth seconded. approved 5-0-0
- Mike walked through several updated models noting that these reflect the focus change to exclude the access control components of the foundational PMAC and DAM models.
- Mike showed the group the Trust Context Model, which simplifies previous TF4FAby making the initiating Domain's (Domain A) trust proposal dependent on the recipient Domain's (Domain B) approval. If Domain A's proposal meets or exceeds Domain B's trust policies, then Domain B countersigns Domain A's proposal thereby executing a trust contract. If Domain A's trust proposal does not meet Domain B's trust policies, Domain B can decline the proposal or offer suggested "trust elevation" policies to bring Domain B into conformance to some extent, even if the result is that Domain A is not able to access all of the information it requested or with the same handling instructions. Domain A may counter with a new proposal, and this interaction continues until either B executes an agreed to trust contract or either drops out of the negotiations.
- Mike showed how trust policies may include specializations as security and privacy policies, and that these policies may have either one or a combination of jurisdictional, organizational, and subject of care policies.
- Mike described the underlying authorization policies as having one or a combination of access control schemes as required by the recipient Domain, including RBAC, ABAC< ACL, ReBAC among others. There is a March Harmonization proposal to bring Authorization and access control scheme policies into HL7 vocabulary.