20150918 - Meeting minutes, Friday, September 18th, 2015 - OpenNCP integration with SMP
OpenNCP integration with SMP
Estimated - 13:00 to 14:00 CEST
Performed - 13:00 to 14:00 CEST
AGENDA
0. Overview
1. Document on SMP and Open Questions
2. AOB
- Wiki+ WorkBench + AdobeConnect
- AdobeConnect:
http://ec-wacs.adobeconnect.com/openncp/
Room Passcode: ask Rui Alves (Unlicensed) or markus.kalliola
----------------
If you have never attended an Adobe Connect meeting before:
Test your connection: http://ec-wacs.adobeconnect.com/common/help/en/support/meeting_test.htm
Get a quick overview: http://www.adobe.com/products/adobeconnect.html
Adobe, the Adobe logo, Acrobat and Adobe Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
----------------
PARTICIPANTS
Today's Meeting Participants:
@Uwe Roth
Adrien Ferial (DG DIGIT),
João (DG DIGIT),
Invited Members List:
@Gwenaelle Quivy
@François
MEETING NOTES
0. Overview
Work Scope
- USE SMP to convey public information of TSL (Certificates, End Points) and International Patient Search Mask;
- TSL files should be removed and replaced by SMP Signed Information files.
- (Maybe not to delete the TSL EDITOR, explore TSL EDITOR to prepare the information to submit to the SMP )
- INTEGRATE a REST client to CRUD the information...
- About "International Patient Search Mask", how to include on the SMP configs
- Can be a child on an XML node on the SMP file.
- USE SMP to the establishment of VPN?
- Certificates, End Points and OpenSwan Config (PRIVATE)
- OUT OF SCOPE BY NOW - Automate the configuration of OpenNCP
- USE SMP to convey public information of TSL (Certificates, End Points) and International Patient Search Mask;
Time Scope:
New release OpenNCP 2.3.0-RC0 Released in August.
Relevant Documentation:
- SMP:
- White paper on SMP and requirements for eHealth:
- Examples of SMP files:
- FinIdentityByTraitsServiceInformationSigned.xml
- OrderServiceServiceInformation.xml
- PatientServiceListServiceInformation.xml
- SAMLIssueServiceInformation.xml
- BDXR:
- OpenNCP early analysis:
- OpenNCP early Analysis: https://openncp.atlassian.net/wiki/x/j4DyAg
- OpenNCP early Analysis: https://openncp.atlassian.net/wiki/x/j4DyAg
- SMP Change Proposal (from Masi):
1. Document on SMP and Questions Open:
Draft version shared for comments: e-SENS-eHealth-SMP_SML-v02-Draft_ForComments.doc
Questions from Last Meeting - 9th Sept - (Q1 to Q5): https://openncp.atlassian.net/wiki/x/ZACqAw
Questions from Last Meeting - 11th Sept - (Q6 to Q18): https://openncp.atlassian.net/wiki/x/XADMAw
Questions and Comments From Today's Meeting:
Q1) Should the central services (SMP/SML) be an ATNA Secure Node?
A1) Massimiliano Masi (following his previous opinion on this topic):
A secure node is a data controller or data processor in which configuration changes are subject to audit.
The current CS are not a secure node, since they don't handle PHI. The ATNA log is handled by the NCP node.
In SMP solution, when NCP's cache invalidates, a new fetch is made and NCP creates new ATNA log.
Both Massi and Uwe agree: the central services are not a secure node.
Q2) Mapping TSL-SMP (Massi's doc EXPAND CP)
A2) - Section 1.1.4 - VPN Endpoint/@transportProfile
- Should we use for the type of VPN? Ask Kostas Karkaletsisostas about the usefulness that he sees for this field...
Answer from Kostas Karkaletsis: Also there is one more info needed. If the server is located under NAT, or has direct access to net
- EndpointURI
Section 1.1.4: VPN endpoint must be an URI (xs:anyURI) but all we have is an IP address or domain name. Possible solution: use a non-standard scheme (e.g. "ipsec:")
Massimiliano Masi: Use the ad-hoc scheme
Q3) D3.4.2§4.1.1 "IPSec configuration" states "A gateway-to-gateway VPN MUST be set up between all epSOS nodes". Should also the SML be considered as a epSOS node? If so, what about the connection between the SMP(s) and the SML? Should there also be a VPN channel?
A3) Both Massi and Uwe agree: no VPN connection. But DNSSEC is mandatory.
DIGIT doesn't propose any DNSSEC services.
Q4) To me, it's not clear which algorithm MUST be used. SHA-2 is clearly recommended, but is it sure that using SHA-1 is a relaxation according to chapter D3.4.2§5.1 "Cryptographic Keys and Algorithms"? From my understanding, other algorithms can be used as long as they fulfil at least the requirements of [ECRYPT-II D.SPA.57] for Level-5. However, the SMP spec makes the use of SHA-1 mandatory. Maybe we can create a request for change to allow other algorithms?
A4) SHA-2 requirement comes from the specifications (D3.A.7 epSOS Architecture and Design - EED Design - Cryptographic Algorithms). SHA-1 is not mandatory, it was wrongly assumed by a PEPPOL document.
Q5) Which field to pass as input of the hash function for building the domain name: HCID or STS?
A5) Use the remote's issuer name of STS (unique per NCP)
SML domain=ehealth.ec.europa.eu
schemeId of participants=ehealth-ncp-ids
participantId=urn:ehealth:de:ncpb-idp
documentType=docScheme::docID=epsos-docid-qns::urn::epsos:services##epsos-121
would give, after percent encoding: http://MD5Hash[urn:ehealth:de:ncpb-idp].ehealth-ncp-ids.ehealth.ec.europa.eu/urn%3Aehealth%3Ade%3Ancpb-idp/services/epsos-docid-qns%3A%3Aurn%3A%3Aepsos%3Aservice%23%23epsos-121
## Open Question: Should the SMP files be signed with Advanced electronic signature?
- Rui Alves (Unlicensed): Address this issue to EXPAND for discussion.
2. AOB
Markus (Unlicensed): Is there a Roadmap?
Rui Alves (Unlicensed): Document being completed, and shared to e-SENS by end Sept. We should leave this question open and discuss it w/ Licinio Kustra Mano in OpenNCP - Open Meeting or Governance
Massimiliano Masi: Two streams -
- e-SENS document and
- At the Same time, EXPAND CP for adding the same procedure of Non-Rep (D 3.A).
Today's meeting actions and next meeting:
- Rui Alves (Unlicensed): Follow up minutes - No next meeting foreseen.
- Joao Cunha and @Uwe will try to complete the document with the new inputs.
- Try to have it ready by 25th Sept(?)
- Massimiliano Masi: Take care of EXPAND document (CP) - must be ready for 25th Sept
- After doc ready - create test assertions for Gazelle... for EXPAND and e-SENS - after the 25th
- Rui Alves (Unlicensed) will share the CP to EC ASAP
- Massimiliano Masi create JIRA issue - expect comments from Main Shop - should not affect the EXPANDATHON.
@Adrien and @João Rodrigues (DG-DIGIT) propose to have a phone call w/ Joao Cunha and @Uwe. To be arranged between the 4.