Re: [egov] National Health Technology Standards Corporation

["Anders Rundgren" <anders.rundgren@telia.com>]

Two answers in one letter to save list space :-)

There are two dimensions, one is information and the other is trust & identity.
If the NHTSC will be able to set the standard for "information" is hard to tell.

Regarding the trust & identity stuff, I believe (but cannot provide evidence) that
the consortium will fairly soon realize that there are TWO entities, in the
game: people and machines.  Machines can in fact represent an organization.
This is something the US Federal PKI people have not yet realized, which have
caused the US a 5-year (and counting) lag compared to many other countries.

That is, it is not enough that some standard provide an X.509 element
because that means nothing or at least creates a lot of guesswork as
there are currently four competing suggestions on how a machine should
identify itself when signing outbound orders, presciriptions etc.
- As an individual.  The German solution
- As a server.   The short-cut
- As as application.  IBM is promoting this.
- As an organization.  The Scandinavian way

The net result is poor interoperability.

My hope is that this consortium should not leave this question to app developers
just because it is "infected".

thanx,
Anders Rundgren

----- Original Message ----- 
From: "Chiusano Joseph" <chiusano_joseph@bah.com>
To: "Anders Rundgren" <anders.rundgren@telia.com>; "eGov OASIS" <egov@lists.oasis-open.org>
Sent: Sunday, January 30, 2005 18:59
Subject: RE: [egov] National Health Technology Standards Corporation


I'm not certain how you arrived at all of the fine-grained technical
details you put forth below, as the URL you provided did not speak at
that level. Could you please provide an additional source to support the
information that you provide below?

Kind Regards,
Joseph Chiusano
Booz Allen Hamilton
Strategy and Technology Consultants to the World


> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> Sent: Sunday, January 30, 2005 3:15 AM
> To: eGov OASIS
> Subject: [egov] National Health Technology Standards Corporation
>
> http://news.com.com/High-tech+alliance+for+digital+health+netw
> ork/2100-1028_3-5550628.html?tag=nefd.top
>
> If this is for real, it could have a rather profound effect
> on (F)PKI, as it seems that they are trying to create "a
> scalable and secure architecture for information exchange and
> collaboration" (my wording)..
>
> If this consortium succeeds in creating a working
> architecture for healthcare, they have "fixed the rest as
> well" as it seems that healthcare comprises practically all
> security, privacy and legal issues one could imagine.
>
> This is likely to be yet another blow at the already severely
> marginalized S/MIME scheme, as the network with a high
> certainty will be based on Web Services, and due to that also
> feature a "Gateway PKI".
>
> Gateways will be the norm for most org-to-org communication
> including cross-border dittos as can be seen by this document:
> http://europa.eu.int/idabc/en/document/3760
>
> Although gateways are well-known by security people,
> something went terribly wrong when this extremely time-proven
> concept met with PKI. I guess this must have had something to
> do with the idea that PKI's sole mission in life is providing
> legally binding signatures for individuals.  But this is
> actually only one out of a myriad of PKI applications.
>
> Now to a yet not solved question: What exactly is a gateway
> certificate?
>
> Anders Rundgren
> Senior PKI Architect
> working for a major computer security company
>
> Disclaimer:
> This is my personal opinion, not to be associated with my employer
>
>
> To unsubscribe from this mailing list (and be removed from
> the roster of the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/egov/members/leav
> e_workgroup.php.
>
>

To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.php.