Identity Frequently Asked Questions (FAQ)
Recently the assets of SAFE Identity, including their Trust Framework, were incorporated under the DirectTrust umbrella, in a new division of the organization called DirectTrust Identity. Read on to learn more regarding some of the more frequently asked questions.
About the Acquisition / General
DirectTrust will take over the management of policy and infrastructure behind the SAFE Trust Framework. The participants in the Policy Management Authority will become DirectTrust members. The infrastructure components that are a part of the transaction are the SAFE Identity Bridge Certificate Authority and the test lab behind the Qualified Product List.
SAFE Identity and DirectTrust share common histories as PKI trust frameworks that owe their existence to a collaboration with Federal Agencies. Particularly if one compares SAFE-BioPharma (the SAFE precursor trade association) to DirectTrust, our mission, vision, and core policies align around instilling trust between organizations. Both Trust Frameworks have a healthcare focus and are membership organizations that develop and maintain policy. For DirectTrust, assuming SAFE’s assets can be a catalyst for growth into new use cases like consumer identity credentials and pharmacy supply chain security. Incorporating SAFEs workgroups into ours, existing conversations with CARIN and PDG as well as new use cases for PKI like medical device security, and clinical research will be accelerated.
A Trust Framework is a collection of policies, technical specifications, and interoperability criteria that are accepted by multi-organizational participants to satisfy a particular need. In the case of digital identity in on-line transactions, the Trust Framework provides policy and technical interoperability for the issuers of digital identity credentials, the individuals asserting their identities through the use of the credentials, and the organizations relying on the identity assertions linked to the digital credentials.
Both of these Trust Frameworks use Public Key Infrastructure to secure electronic transactions. Both have processes for assessing Certificate Authorities that issue credentials for use in the frameworks. Both maintain membership who participate in consensus-based governance and policy.
We each operate in different segments of the healthcare sphere and enable different use cases. We also use slightly different technical mechanisms to enable technical trust using public key infrastructure.
No, at least not initially. We will do the policy and technical work to allow them to interoperate for use cases that would value such interoperation. Subscription to the Bridge CA will be an incremental offering that existing DirectTrust accredited members may wish to take advantage of.
As we work to create trusted, federated consumer credentials for use in the FHIR ecosystem, having a Bridge Certificate Authority infrastructure may provide a powerful tool for creating technical interoperability with other trust frameworks. Also, the Drug Supply Chain Security Act is working to create a technical framework for organizational identity assurance. We will work with the initiative called the Partnership for DSCSA Governance (PDG) to assert a role for our trust frameworks in collaboration with others.
About SAFE Identity
SAFE Identity (and SAFE-BioPharma before it) have long been providing a robust trust framework with certified Issuers that provision secure digital PKI based credentials to the Biopharmaceutical industry. Such credentials can be utilized for many use cases of value to these members and could have broader applicability across the healthcare ecosystem. Authentication, document signing and physical access all require very high levels of identity assurance particularly in such sensitive environments. The SAFE Identity Bridge Certification Authority has an important role to play in enabling the credentials issued by all the issuers to be trusted by all other participants in the ecosystem .
SAFE-BioPharma coined SAFE as an acronym meaning “Secure Authentication for Everyone”. SAFE Identity redefined the acronym in 2019 to mean “Signatures Authentication Federation and Encryption”
The SAFE Identity Policy Management Authority has a core group of active biopharmaceutical companies that represent the interests of such companies that rely on SAFE credentials. Several Certificate Authorities are certified to issue SAFE credentials
Trust is facilitated through policies and certification processes as well as technically enabled by a Bridge Certification Authority infrastructure that relying parties will use to validate that a transaction is safe if an identity assertion is trusted.
For more information about Bridges, see this explanation from NIST.
PKI-based authentication is considered to be the strongest way to authenticate a person or device on the other end of the internet. PKI combines strong identity proofing processes with strong cryptography to prove an individual’s identity not only within a company, but also between companies
This Bridge Certification Authority is a cryptographic infrastructure that enables individuals and online services to trust each other’s digital identities for high assurance electronic transactions. It facilitates trust across multiple organizations via the approved PKI Issuers cryptographically-bound to our infrastructure through cross-certification with this Certification Authority. The Bridge is cross-certified with the Federal Bridge allowing credentials to be used for electronic transactions with federal agencies.
PKI credentials can be used for a great many use cases within a Pharmaceutical enterprise including authentication to systems, signing documents, and controlling physical access. One essential use case is the 21 CFR Part 11 FDA requirement for the digitally signed submission of reports to the agency.
No. We are incorporating their assets in ours and DirectTrust will remain just as it is today with new members and new services.
About SAFE Identity Incorporation into DirectTrust
We will welcome all participants in the PMA as DirectTrust members.
Many of our existing workgroups will be of interest including Consumer Credentials, Certificate Policies and Practices and others. That said, all members will be welcome at any workgroup meeting.
Will DirectTrust members have access to the workgroups that have been a part of the SAFE activities?
Yes. SAFE “Working groups” will become DirectTrust “Work Groups” and some may merge with existing DirectTrust Workgroups. For example, the SAFE Technical Policy Working Group may become a new sub-group of the Certificate Policy and Practices Workgroup to facilitate creating the interoperation between the two trust frameworks.
They provide the same functional capability (to allow for federated trust) but do so with different means. DirectTrust is planning to enable trust and interoperability between the bridge and the Trust Bundle for at least some use cases.
There are two different Certificate Policies, but both support the latest NIST Guidance on levels of identity and authentication assurance.
Yes, since Certificate Policies are different and cross-certification with the Identity Bridge Certification Authority is handled differently than DirectTrust accreditation. Over time we will look to modularize our accreditation process so that CAs can participate in one the other or both frameworks without needing to duplicate efforts. We will immediately move to remove duplicative charges for evaluating CA/RAs even if the actual process of accreditation will differ.
The SAFE Certificate Policy will not change immediately and may remain distinct from the DirectTrust CP for some time. Rather than merging these policies, mapping them and providing a mechanism for cross-certification will likely change both policies. Other policies will need review to ensure there are no conflicts. but most of the general policies DirectTrust relies upon will remain unchanged. Duplicative policies in use at SAFE will be sunset.
How will the incorporation of the SAFE assets in DirectTrust affect the DirectTrust existing policies?
DirectTrust policies will remain in force, but some SAFE policies will be maintained in parallel. Duplicative SAFE policies will be eliminated where possible.