I probably need some additional information to see if my partners can effectively share PHI at LOA 3 and I don't want to burden the list on whether the healthcare use cases defined by the Federal Health Architecture is covered by ACES 2017 Jan policy. It's very important that the community agreed on LOA 3 for healthcare providers and LOA 2 for patients. It's not an issue about validating to domain names. That's what I meant about separating Internet from USperson citizen use cases.
This goes back to 2004 when enabling legislation was created to apply the Internet to Healthcare and create secure services to exchange information. Eventually, years later the FHA set down with Direct Project certificate requirements, however the two models are different in that one is based on a end user STA, and a different model that uses a MITM intentionally that requires a different trust layer under HIPAA called a business associate agreement. The LOA3 Direct STA to STA does not require an additional trust framework beyond the Federal Bridge. Typically the bridge only deals with cross certification of CAs. So to meet the requirements the individual user certificate needs to use a root that can chain through the bridge and have a separate signing and encryption certificate. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy