/> Updated Technical Trust Policy - Carequality
Carequality Blog

Carequality Community Publishes Updated Trust Policies

On October 1 2018, version 2.0 of Carequality’s Technical Trust Policy (TTP) will officially go into effect. The TTP outlines security requirements and related policies for Carequality Gateways. In particular, the document outlines technical specifications around digital certificates and Transport Layer Security (TLS). This Carequality Element replaces the 2016 version (V 1.2) and is legally binding on those participating in the Query-Based Document Exchange Use Case. The updates contained therein are the by-product of Implementer feedback, the Advisory Council, and the Steering Committee and we would like to thank all of those in the Carequality community that have taken the time to contribute to this vital endeavor. We believe that these updates align with industry standards around digital certificates and TLS versioning while allowing for additional flexibility with respect to certificate authorities (CA). Further details of the changes to the TTP are outlined below:

  • Update TLS Version
    • Institute a requirement for TLS version 1.2 and above, with many additional details added for clarity
    • Changes to section
      • TLS Cryptographic Configuration
  • Enhance Flexibility in Certificate Authorities
    • Ensure that going forward we can use multiple CAs for redundancy and transition purposes
    • Changes to sections
      • Trust Chains (formerly, Trust Chain)
      • Certificate Filtering
      • [new] Multiple Trust Chain Support
      • [new] Appendix
  • Ensure Use of “Suspended” Certificate Status
    • Clarify that suspended/on hold certificates must not be trusted
    • Changes to section
      • Certificate Revocation and Suspended Status Checking (formerly, Revocation Checking)
  • Neutrality with Respect to the eHealth Exchange
    • In preparation for eHealth Exchange becoming a Carequality Implementer, remove any special references and guidance on dual participation.
    • Changes to sections
      • Certificate Filtering
      • [removed] eHealth Exchange and Carequality Dual Trust Domain Consideration
  • Miscellaneous Clarifications
    • Various clarifications that don’t introduce policy changes
    • Changes to sections
      • Certificate Filtering
      • TLS Cryptographic Configuration
      • Instructions
      • Certificate Revocation and Suspended Status Checking (formerly, Revocation Checking)

Visit the Carequality Resources page to review Version 2.0 of Carequality’s Technical Trust Policy (TTP) alongside the other Carequality Elements.