Direct Project

Scalable Trust and Trust Bundles

12/06/10

Overview

• What is Scalable Trust• State of Trust• Trust Issues• Trust Solutions• Trust Bundle Demo

12/06/10

What Is Scalable Trust

• Scalable Trust is a strategy for enabling Direct exchange between a large number of endpoints.• Trust should happen “quickly” and uniformly• Forms a “complete” network• Complexity of establishing a network does not increase as more

nodes are added to the network• Value of the network increases as more nodes are added

12/06/10

State of Trust

• “Islands of Automation” and/or “Walled Gardens”• Exchange only occurring within subscribers of a single HISP

HISP AHISP B

12/06/10

State of Trust

• One-off Agreements• HISPs creating peer to peer agreements

• Networks become incomplete and fragmented

HISP AHISP B

HISP CHISP D

12/06/10

State of Trust

• Trust Communities Forming

Directrust.org WSC ABBI

12/06/10

Trust Issues

• Policy• Lack of Common Policies/Practices

• Registration Authorities – Identity Vetting Assurance• Certificate Authorities – Certificate Practices• HISP Practices and Operations

• Direct compliance• Edge protocols• BAAs usage• Cryptographic key protection

• Legal Liabilities• Technical

• Exchange of Trust Anchors

• Peer to Peer Model Not Scalable For “Complete” Networks

12/06/10

Trust Issues

12/06/10

Trust Issues

• The Math – Number of Possible Peer to Peer Contracts (may equate to trust anchor exchanges)• = • Ex: 8 node (HISP) network = 28 agreements• Each additional node requires (n-1) agreements• Management effort becomes exponential

• Peer to Peer Model Results in Incomplete Networks

12/06/10

Trust Issues

12/06/10

Trust Solutions

• Trust Communities• Organizations electing to follow a common set of policies and

processes related to information exchange. Examples of these policies are identity proofing policies, certificate management policies, HIPAA compliance processes etc.

• May require certification to attest to compliance and receive accreditation

• Federated Trust Agreements• An agreement between an accredited HISP and the trust

community, whereby the accredited HISP attests that it has implemented and will abide by the provisions of accreditation, as well as other terms and conditions associated with participation in the trust community

• May eliminate the need for Peer to Peer agreements

12/06/10

Trust Solutions

• Trust Bundle• A collection of trust anchors within a trust community that conform

to a common set of policies and procedures.• All anchors in a bundle meet the same minimum set of

requirements• Trust anchor are included in a bundle in accordance to the

community’s policies and governance• Bundles are cumulative

• Tangible manifestation of a trust community.• Packaged using cryptographic message syntax (CMS) and

(S)MIME standards.• Distributed over public URLs

• HTTP(s)• Consumed by HISPs via the published URL

12/06/10

Trust Solutions

• Trust Communities and Bundles are Scalable• Each HISP only required to sign federated trust agreement

• All HISPs signing the same agreement “trust” each other• Trust bundle distribution is cumulative, secure, and systemic

• Trust bundle URL is configured once, updates are automatic• Distribution uses a hub and spoke model allowing distribution

to be centralized• Networks within a community are “complete”

• The Math - Number of possible agreements: n• Ex: 8 node (HISP) network = 8 agreements• Each additional node requires 1 agreement• Management effort becomes linear

12/06/10

Trust Solutions

• Multiple Trust Communities• Not optimal, but a reality. May lead to fragmentation or large

walled gardens.• Trust “Bridges” may facilitate policy issues between communities• Ex:

DirecTrust.org WSCTrust Bridge

12/06/10

Trust Solutions

• Automate Blue Button (ABBI) Trust Community• Superset of MU2 VTD (specifically transmit)• Requires model private notice• New HIPPA regulations will serve as the trust bridge

• One way communication• Ex:

DirecTrust.org ABBIHIPPA

12/06/10

For More Information

• Scalable Trust Forum: http://wiki.directproject.org/Direct+Scalable+Trust+Forum

• Scalable Trust Summary: http://www.healthit.gov/sites/default/files/direct-scalable-trust-forum-summary-of-findings-report.pdf

• Direct Trust Bundle Workgroup: http://wiki.directproject.org/Trust+Bundle+Sub+Work+Group

• Scalable Trust Story: https://secure.bluebuttontrust.org

• Automate Blue Button Initiative: http://wiki.siframework.org/Automate+Blue+Button+Initiative

• Automate Blue Button Bundle: https://secure.bluebuttontrust.org

• DirectTrust.org: http://directtrust.org

12/06/10

Trust Bundle Demo

DEMO!!