This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

March 25, 2014 Security WG Conference Call

From HL7Wiki
Jump to navigation Jump to search

Back to Security Main Page


Member Name Present Member Name Present Member Name Present
Mike Davis Security Co-chair x John Moehrke Security Co-chair x Trish Williams Security Co-chair
Bernd Blobel, Security Co-chair . Johnathan Coleman x Kathleen Connor x
Duane DeCouteau Reed Gelzer . Suzanne Gonzales-Webb CBCC Co-chair x
Rick Grow x David Henkel x Mohammed Jafari
Don Jorgenson . Diana Proud-Madruga x Harry Rhodes .
Ioana Singureanu . Richard Thoreson CBCC Co-chair . Ross Freeman .
Amanda Nash Walter Suarez . Tony Weida x
Chris Clark . . .
. . .

Back to Security Main Page


  1. (05 min) Roll Call, Approve March 18, 2014 Security WG Conference Call Minutes & Accept Agenda
  2. (30 min) Informative discussion on OAuth and OpenID Connect - John Moehrke
  3. (05 min) Other business, action items

Meeting Minutes DRAFT

Meeting minutes for 3/18 are not ready for approval

Security DAM prepared for the upcoming May 2014 ballot cycle - balloting as informative without any changes. we will be moving portions of it over to the PASS Architecture (to make those pieces moved as normative)

MOTION ((Kathleen/Suzanne)To approve moving forward with balloting the current Composite Security and Privacy DAM as informative
VOTE: Objections: none, Abstentions: none, Motion passed 0/0/8

Presentation: John Moehrke OAuth OAuth Presentation

Mike Suzanne, do we have minutes to approve from the last call? Suzanne No, we don’t. I have to redo them.

Item (off-agenda) – Passing motion to ballot Security and Privacy DAM

Mike We’ve asked John to come to this meeting and talk to us about SAML and OAuth, and OpenID as an alternative source of authentication authorization information. We’ve prepared our DAM for balloting on the May cycle, as informative without changes. The intent is to keep it as informative. We’re going to move portions of it into the PASS architecture, which we can make normative. I don’t recall whether we formally took a motion to ballot this. Suzanne I don’t’ see it in the last two meeting minutes. Kathleen MOTION: (Kathleen/Suzanne) I would like to move that we’ll ballot the current Security and Privacy DAM as informative. Abstentions: 0, Objections: 0, Agreed: 7 MOTION Paases

Item 2 - Informative discussion on OAuth and OpenID Connect

John - I sent out the slides in case screen sharing doesn’t work too well for me. First off, I’m just presenting my knowledge. I’m not all-knowing on this subject. There is this OAuth 2, which is attracting a lot of concern, because it became more of a framework rather than an operational standard. It needs additional standards to make it work. Many of those standards are still in draft form. OAuth is still about authorizing an application to do things on your behalf. People liken this to providing your car keys to the valet. The authorization side of OAuth is comprised of three different parties: an application that wants to do something (like an iPad); a service, which is handled as an authorization step; and then there is a resource server. The technology in OAuth is similar to Kerberos. There are service tickets. It provides users the ability to grant and revoke authorization to resources. The OpenID Connect is actually a new version of OpenID. It’s not 2.0; it’s beyond 2.0. OpenID basically answers the question: “What is your identity?” It’s a way of describing a resource that is a description of you as the user. It provides the ability to fine-grain control access to your data. The dirty little secret is that all of this is managed by shared secrets that are issued by the authorization server, so it can’t just randomly take the application from the App Store and have it work with any identity provider. The authorization server has to have shared secrets within that application.

Meeting Adjourned at 1510 PST --Suzannegw (talk) 21:04, 1 April 2014 (UTC)