[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] new WS-SX work item for discussion
|
Hi David, I looked through the attached Trust profile. Here
are some initial comments. A lot of the document describes aspects of the health care application
that are not directly related to use of WS-Trust. Most of that information
is useful for putting the Trust profile in context but I’m not sure
that an XSPA WS-Trust Profile is the best place for it. I assume this
level of understanding of the health care application would be equally useful to
XSPA profiling efforts other than WS-Trust. It might make sense to factor the “end-to-end”
application description out into a separate document that could motivate, and
be referenced by, the XSPA profiles. Regarding section 4, which does delve specifically into
WS-Trust: section
4.1.4: Request/Reponse – Cross Enterprise Patient lookup. Lines 409-412 Patient
search across enterprises may only require a coarse grain approach to
authorization where an access control decision can be made without the
evaluation of subject attributes. In this case the responders services
interface may execute the lookup without having to interact with the ACS this a
result of trust between two STSs. In order
to understand this better I’d like to see what trusted data
actually drives the access control decision at the service interface. line
417 Request Line 417 indicates the following sections will describe a
“request” but is immediately followed by an example of a
WS-Trust Request Security Token Response. This caught me by
surprise. I expected this section to show the RST as well as the RSTR. Line 513 Response This section appears to describe the content of an application
response (patient record). If there is some important relationship
between the Trust protocol exchanges and the application response payload that
requires the application response be described here, that relationship should
be made clear. Otherwise I think this section could be safely removed (see my
general comment above) Section
1.1.1 Request / Response – Medical Record Access Sane issues as with section 4.1.4 above. The description
of the “Request” starts with an RSTR and the RST is not
described. In this case, the application(?) level response is absent. Section
4.1.6 Masking of Clinical Data
“The response
in this case will need to contain an obligation defining which object must be
hidden from the requesting user. The consuming ACS and its service
interface must enforce this obligation” What response is this section referring to? Is the
application-level response, or the WS-Trust RSTR? Section
4.1.6 Enforcement Cross Enterprise
Business Rules
Same question as in section 4.1.6 comments
above.
I hope you find these comments useful, Regards, -greg From: Staggs, David
(SAIC) [mailto:David.Staggs@va.gov] Colleagues Our
proposed work item (described below) has been updated since our last meeting.
Attached is our latest draft for your review. This profile would
address the standards gap identified by the HITSP effort and serve as an underpinning
for an interoperable world-wide healthcare environment. Thank you for
your consideration and we appreciate your support in adopting this effort as a
work item at the next meeting. Kind
regards, David David Staggs, JD, CISSP (SAIC) From: Staggs, David
(SAIC) [mailto:David.Staggs@va.gov] All I
would like to suggest a work item for the WS-SX for discussion at the next
meeting. Those
familiar with the government healthcare sector know that HITSP has been tasked
to identify standards supporting the AHIC use cases. HITSP has identified
a need for a WS-Trust profile that supports cross-enterprise security and
privacy authorizations. We have started a draft profile and would
appreciate the comments of the TC. HITSP would like to see the profile balloted
in OASIS so it can be cited as a standard profile. The government healthcare
sector will be required to adhere to the standards selected by HITSP, so this
is an important effort. -also- We
are staring an OASIS TC called the Cross-enterprise Security and Privacy
Authorizations (XSPA) TC and invite members of the WS-SX to join. The
goal would be to collect the profiles from groups such as WS-SX and piece them
together in a complete profile that supports the entire AHIC use cases. The
XSPA profile would be demonstrated at an Interop at the Healthcare Information
and Management Systems Society (HIMSS) early next year. Regards, David David Staggs, JD, CISSP (SAIC) |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]