OpenNCP integration with SMP

Work Scope
- USE SMP to convey public information of TSL (Certificates, End Points) and International Patient Search Mask;
  - TSL files should be removed and replaced by SMP Signed Information files.
  - (Maybe not to delete the TSL EDITOR, explore TSL EDITOR to prepare the information to submit to the SMP )
    - INTEGRATE a REST client to CRUD the information...
  - About "International Patient Search Mask", how to include on the SMP configs
    - Can be a child on an XML node on the SMP file.
- USE SMP to the establishment of VPN?
  - Certificates, End Points and OpenSwan Config (PRIVATE)
- OUT OF SCOPE BY NOW - Automate the configuration of OpenNCP
Time Scope:
- New release OpenNCP 2.3.0-RC0 Released in August.
Relevant Documentation:
- SMP:

- http://wiki.ds.unipi.gr/display/ESENS/ABB+-+Capability+Lookup+-+1.6.0

- http://wiki.ds.unipi.gr/display/ESENS/ABB+-+Service+Location+-+1.1.0
White paper on SMP and requirements for eHealth:
- 20150616_Masi_SMP-TRUST.docx
Examples of SMP files:
BDXR:

OpenNCP early analysis:
- OpenNCP early Analysis: https://openncp.atlassian.net/wiki/x/j4DyAg
SMP Change Proposal (from Masi):
- 20150911_CP-epSOS-SMP-v0.2.docx

1. Document on SMP and Questions Open:

Draft version shared for comments: e-SENS-eHealth-SMP_SML-v02-Draft_ForComments.doc

Questions from Last Meeting - 9th Sept - (Q1 to Q5): https://openncp.atlassian.net/wiki/x/ZACqAw

Questions from Last Meeting - 11th Sept - (Q6 to Q18): https://openncp.atlassian.net/wiki/x/XADMAw

Questions and Comments From Today's Meeting:

Q1) Should the central services (SMP/SML) be an ATNA Secure Node?

A1) Massimiliano Masi (following his previous opinion on this topic):

A secure node is a data controller or data processor in which configuration changes are subject to audit.

The current CS are not a secure node, since they don't handle PHI. The ATNA log is handled by the NCP node.

In SMP solution, when NCP's cache invalidates, a new fetch is made and NCP creates new ATNA log.

Both Massi and Uwe agree: the central services are not a secure node.

Q2) Mapping TSL-SMP (Massi's doc EXPAND CP)

A2) - Section 1.1.4 - VPN Endpoint/@transportProfile

- Should we use for the type of VPN? Ask Kostas Karkaletsisostas about the usefulness that he sees for this field...

Answer from Kostas Karkaletsis: Also there is one more info needed. If the server is located under NAT, or has direct access to net

- EndpointURI

Section 1.1.4: VPN endpoint must be an URI (xs:anyURI) but all we have is an IP address or domain name. Possible solution: use a non-standard scheme (e.g. "ipsec:")

Massimiliano Masi: Use the ad-hoc scheme

Q3) D3.4.2§4.1.1 "IPSec configuration" states "A gateway-to-gateway VPN MUST be set up between all epSOS nodes". Should also the SML be considered as a epSOS node? If so, what about the connection between the SMP(s) and the SML? Should there also be a VPN channel?

A3) Both Massi and Uwe agree: no VPN connection. But DNSSEC is mandatory.

DIGIT doesn't propose any DNSSEC services.

Q4) To me, it's not clear which algorithm MUST be used. SHA-2 is clearly recommended, but is it sure that using SHA-1 is a relaxation according to chapter D3.4.2§5.1 "Cryptographic Keys and Algorithms"? From my understanding, other algorithms can be used as long as they fulfil at least the requirements of [ECRYPT-II D.SPA.57] for Level-5. However, the SMP spec makes the use of SHA-1 mandatory. Maybe we can create a request for change to allow other algorithms?

A4) SHA-2 requirement comes from the specifications (D3.A.7 epSOS Architecture and Design - EED Design - Cryptographic Algorithms). SHA-1 is not mandatory, it was wrongly assumed by a PEPPOL document.

Q5) Which field to pass as input of the hash function for building the domain name: HCID or STS?

A5) Use the remote's issuer name of STS (unique per NCP)

SML domain=ehealth.ec.europa.eu

schemeId of participants=ehealth-ncp-ids

participantId=urn:ehealth:de:ncpb-idp

documentType=docScheme::docID=epsos-docid-qns::urn::epsos:services##epsos-121

would give, after percent encoding: http://MD5Hash[urn:ehealth:de:ncpb-idp].ehealth-ncp-ids.ehealth.ec.europa.eu/urn%3Aehealth%3Ade%3Ancpb-idp/services/epsos-docid-qns%3A%3Aurn%3A%3Aepsos%3Aservice%23%23epsos-121

## Open Question: Should the SMP files be signed with Advanced electronic signature?

Rui Alves (Unlicensed): Address this issue to EXPAND for discussion.

2. AOB

Markus (Unlicensed): Is there a Roadmap?

Rui Alves (Unlicensed): Document being completed, and shared to e-SENS by end Sept. We should leave this question open and discuss it w/ Licinio Kustra Mano in OpenNCP - Open Meeting or Governance

Massimiliano Masi: Two streams -

- e-SENS document and
- At the Same time, EXPAND CP for adding the same procedure of Non-Rep (D 3.A).

Today's meeting actions and next meeting:

- Rui Alves (Unlicensed): Follow up minutes - No next meeting foreseen.
- Joao Cunha and @Uwe will try to complete the document with the new inputs.
  - Try to have it ready by 25th Sept(?)
  - Massimiliano Masi: Take care of EXPAND document (CP) - must be ready for 25th Sept
  - After doc ready - create test assertions for Gazelle... for EXPAND and e-SENS - after the 25th
  - Rui Alves (Unlicensed) will share the CP to EC ASAP
  - Massimiliano Masi create JIRA issue - expect comments from Main Shop - should not affect the EXPANDATHON.

@Adrien and @João Rodrigues (DG-DIGIT) propose to have a phone call w/ Joao Cunha and @Uwe. To be arranged between the 4.

OpenNCP integration with SMP

AGENDA

PARTICIPANTS

MEETING NOTES

0. Overview

Work Scope

Time Scope:

Relevant Documentation:

1. Document on SMP and Questions Open: