DirectTrust Policy Opinion

flutheronioneyedSoftware and s/w Development

Dec 13, 2013 (5 years and 2 months ago)


1101 Connecticut Ave. NW

Suite 1000


Washington, DC


DirectTrust Policy Opinion

Number 1.0 Released for public comment July

, 2013



From time to time as appropriate and warranted, DirectTrust
will publish opinions on security and trust policy and other issues related to Direct exchange, intended to
assist Direct exchange implementers and users to understand and ap
ply best industry practices. The
public is invited to respond to these opinions via email to

with a subject line
containing the words “Policy Opinion” to do so.


Use of a single, HISP
wide X.509 digital certificate

for multiple, separate, legally distinct health care organizations

is not an acceptable practice when
implementing the Direct standard.


An important goal of Direct
Trust is to establish policies, standards,
and best practices that are intended to eliminate or mitigate the risks associated with the transmittal of
health care information over the Internet using the Direct standard, and thus to create and maintain
der and patient/consumer confidence in Direct messages and attachments during their daily use of
Direct exchange.

DirectTrust members have interpreted the Applicability Statement to permit the issuance of X.509 digital
certificates to individuals and to or
ganizations, the latter including a Health Care Organization, HCO, or a
component of such organization, such as a department or division. Further, DirectTrust has developed a
Security and Trust Framework, including the DirectTrust X.509 Certificate Policy
, drawing upon a
number of established authorities for policy on confidentiality, integrity and authentication, including
HIPAA, FIPPS, the FBCA, and NIST. For its authentication policies and practices, DirectTrust relies
primarily upon, and the Security
and Trust Framework rests on guidance from, the model included in the
document NIST Special Publication 800
1, Electronic Authentication Guideline, December, 2011.

Several Direct implementations have begun the practice of using a single, HISP
wide X.5
09 digital
certificate for all participating subscribers to their HISP, such single certificate being used to facilitate
Direct exchange by individuals from multiple, separate, legally
distinct entities, including from different

While recognizing t
hat the Applicability Statement is ambiguous with regards to this practice, most likely
because its developers never anticipated its use, it is the opinion of DirectTrust that use of a single, HISP
wide X.509 digital certificate for all HISP participants i
s not an acceptable practice, and should never be
used in Direct implementations

where users/subscribers sharing the certificate are from multiple, separate,
legally distinct organizations
. We are joined in that opinion by the Office of the National Coord
inator for
Health IT, ONC, which stated in the recently updated Direct implementation guidelines from ONC (May,
2013), in part:


"In particular, Direct certificates must:

Collaborating to Build the Security and
Trust Framework for Directed Exchange

1101 Connecticut Ave. NW

Suite 1000


Washington, DC


Conform to the requirements set forth in Applicability Statement for Secure

Transport v1.1. Direct certificates are used only for transport and not for

verification or non
repudiation. [and]

Have been issued to a health care related organization or more granular component of an
organization (e.g., department, individua
One certificate issued to a HISP to use

behalf of all participants in the HISP does not meet this criterion

(italics added)

In the remainder of this DirectTrust
Policy Opinion
, we will discuss the relevant issues and provide a
justification for
prohibiting the use of a single, HISP
wide X.509 digital certificate

for multiple, separate,
legally distinct organizations


There is probably no one single consideration that would preclude a single, HISP
wide X.509 certifica
from being considered reasonable practice for Direct implementations. However, there are several
reasons that, in the aggregate,
argue against

the practice.

wide certific
ate for users/subscribers of multiple, separate, legally distinct

effectively breaks the chain of trust in authentication that is an important component of the DirectTrust
Security and Trust Framework and of the model established for authentication by NIST and other
authentication authorities. It puts the
control for authentication solely in the hands of the HISP, rather
than sharing of, and linking to, the authentication with the Certificate Authority, CA, and the Registration
Authority, RA. It also eliminates proper representation of the subscriber at th
e Health Care Organization
(HCO) in the case of an organizational (domain level) certificate, as well as in the case of the individual
(address level) certificate.

The DirectTrust Certificate Policy states that when a HISP is used, the CA should only crea
te the
credential (certificate) after an RA has proofed and verified the identity of the HCO representative, and
the appropriate or nominated ISSO at the HISP. The CA must also verify that the RA obtained
authorization from the HCO representative for the H
ISP to be the HCO’s service provider, and requires
that both the HCO representative and their nominated ISSO agree to the certificate subscriber agreement
(contract). In cases where the certificate is issued to a single individual rather than to an organi
zation, he
or she is considered to be the HCO representative.

Adherence to this policy and practices is required to ensure that the HCO representative has
representation for and control over the certificate and the private key, even though the ISSO at the

operates it on their behalf. It also ensures that the CA confirms that the HCO is authorizing the HISP as
their service provider. Such assurances increase the confidence that the risk of mis
information regarding
the identity/integrity of the Direc
t messages will be minimal, and are an important aspect of the chain of
trust in identity when using the Direct standard.

In the case of a single, HISP
wide certificate, this sequence or chain of assurances as to identity is
interrupted and broken (See
gure 1

below, in which Subscriber A.1 is the HCO representative.)
Because there is no HCO representative
CA agreement, and because all participants in the HISP share
1101 Connecticut Ave. NW

Suite 1000


Washington, DC


a single certificate bound only to the HISP itself, the HCO itself is not in any state

of agreement with
respect to the certificate. In this case, the only entity that can hold legal responsibility for that certificate
and its users is the HISP. (It is true that a HISP
wide certificate can be used for Direct, but according to
the DirectTr
ust Security and Trust Framework, that certificate is only authoritative for accounts and
addresses representing legal employees of the HISP.)

Figure 1.

DirectTrust is of the opinion that organizations or individuals engaging in Direct exchange, whether
are sending or receiving health care information, desire to conduct business with a specific organization
or individual, and with the certificate digitally representing them as a specific legal entity. They desire
that trust to exist largely because,

in the case of legal disputes, the specific organization or individual can
be held accountable for its actions.

We maintain

that a HISP cannot reasonably be held legally accountable for the security and trust
behaviors of staff and employees of multiple
, separate, and legally distinct HCOs or individuals within
those distinct HCOs. The HISP simply does not have any standing or authority over


these parties.
However, by taking on such responsibility, perhaps unwittingly, they are placing themselves a
nd their
subscribers at risk of mis
information regarding the identity of subscribers using the single, HISP

1101 Connecticut Ave. NW

Suite 1000


Washington, DC


Given that the community of Direct implementers and users knows of and understands this

risk, it is
likely that they will


ish to be relying parties of HISPs that adopt the practice of using a single, HISP
wide certificate.

2. Use of a single, HISP
wide certificate is unacceptable because it may increase the risk to participants
in the HISP and to all relying parties of wha
t are known as “
” attacks, which can lead
to privacy breaches and identity theft. In essence, a man
middle attack occurs when an individual
monitors and uses in
formation contained within Internet traffic to successfully pretend to be someone
else, in order to gain access to sensitive information. Because transactions using the same X.509 digital
certificate information over and over again make it much easier to i
dentify the target: a HISP using a
single, HISP
wide digital certificate introduces this risk into its Direct implementation. The attacker in
this case would use this information to decipher the one digital certificate, which takes less time and effort
an to perform the same attack on one hundred or more certificates.

The end result is that instead of the attacker’s impersonation being limited to a specific organization or
individual, they can now pretend to be anybody, or any organization, being servi
ced by the HISP utilizing
this single compromised certificate. To be clear, the same risk of a given certificate being compromised
exists in the recommended approach, but it is limited in impact to one organization or individual level
certificate at a tim
e, and makes it virtually impossible to do at a HISP
wide level where it creates a much
larger problem.

Here is a
publicized example

of th
is type of compromise, indicating that the risk is not hypothetical.

3. Use of single, HISP
wide digital certif

creates the situation in which security or technical
problems will affect all users simultaneously. If in the event there is a compromis
e due to an attack (such
as described above), or in the case of rogue behaviors on the part of even a single participant subscribing
to the HISP, relying parties may have no choice but to disable trust with that entire HISP, for example by
“black listing”
its single digital certificate. Because there is no way for the HISP using the single
certificate for all its participants to selectively remove the offending organization or compromised
individual upon notice, it’s only choice is to create an outage for
an entire population served by the that
HISP while the compromised certificate is revoked and a new one is issued.

Disruptions and interruptions of service of this kind under this situation are almost certain to occur, but
are both unneces
sary and avoidabl
e. We predict

that subscribers to HISPs that utilize a single, HISP
wide certificate will have little tolerance for service interruptions caused by certificate revocation and re
issuance, and will in the event of such occurrences have a strong incentive
to switch to Direct service
providers who follow best practices and are accredited as to their adherence to them. Use of this practice
of a single, HISP
wide certificate, if it were to beco
me generalized, could weaken

provider and public
confidence in Direct exchange at a national level.

1101 Connecticut Ave. NW

Suite 1000


Washington, DC



The practice of using a single, HISP
wide certificate covering multiple,


legally separate HCOs
creates unnecessary, avoidable risks for Direct exchange partic
ipants. Widespread use could
provider and public confidence in Direct exchange

and directly conflicts with current ONC policy.