Append ToI: Security Certificate Provisioning

[ToddCooper]

See Topic: Security Certificate Provisioning.

Note: TOI won't be fully resolved in SDPi 1.0. But a VERY simple guidance will be added (Vol1, SDPi-P SES)

From SDPi 1.0 Workshop: David will provide a general description in SDPi-P, SES. Needs to be revisited at a later date together with Accelerator program.

Update SDPi 1.1/1.2 workshop: We have three different concerns to solve: Access control, transport layer security and establishing vendor to vendor trust. In this version, we'll document the current status.

Access control:

• In the responsibility of the hospital
• Currently only supported by technologically advanced hospitals
• For the time beeing, we use allowlists to supplement the non-existing infrastructure (also replaces revocation of certificates) - this is burdensome for the customers but solves the problem (Format of the allowlist will be specified in version 1.3)
• Technologically advanced hospitals can use their own certificates for network access but should not be involved in the trust debate ---> come up with recommendations, but no requirement for devices.

Transport layer security:

• Done by TLS
• Currenly mixed with layer three
• Will be placed on the Glue and PKP revision agenda ---> Briefly describe current status

Compliance to standards - vendor to vendor trust

• Vision: Will be done by an independent organization in the future. Supported by a SDPi conformity assessment program to pave the way.
• For the time beeing, vendors sign their own certificates. Trust is established based on agreements between vendors. ---> Describe the current status and future vision.

Follow up actions are described in the related tickets (#197, #198 , #199 ).

[AnnaFeiler]

Shouldn't this be a 1.2 issue?

[ToddCooper]

To be discussed at July 2023 Lübeck Workshop.