|
Objective of Meeting
Role of MHDC
Secure Messaging Gateway Certification
Questions
Attendee List
|
1. Introduction
This meeting was arranged in order to brief the vendors of Secure
Messaging Gateway projects on the plan for MHDC and The Open Group to work
together on the development of a Certification Program for Secure
Messaging Gateway products, and to invite vendors to participate in the
development of the program.
The immediate next step will be a working
meeting in early September 2003, open to members of The Open Group
Messaging Forum and MHDC and vendors of messaging products.
The objective of the meeting will be to finalize the
specification to be used as the basis for certification.
|
2. The Role of MHDC
Joe Miller from MHDC explained the role of MHDC and the background to
the Secure Messaging Gateway project.
The MHDC CIO forum represents 35 Massachusetts based healthcare
organisations. At their meeting earlier on Thursday July 24th, the CIOs committed to a project sponsored by at
least 6 of their members that will sponsor a joint project with The Open
Group and product vendors to develop and implement interoperable S/MIME gateways.
This sponsorship includes funding for a program manager and a commitment
to procure certified Secure Messaging Gateway products on successful
completion.
3. The plan for Secure Messaging Gateway
Certification
Mike Lambert from The Open Group presented
the plan for the development of the Secure Messaging Gateway Certification
program, stressing that MHDC and The Open Group had committed to the
program.
3.1 Introduction to The Open Group and Messaging Forum
The presentation started by introducing The Open Group and the
Messaging Forum.
- The role of activities of The Open Group as a global consortium committed to delivering greater business efficiency by bringing together
buyers and suppliers of information technology to lower the time, cost and risk associated with
integrating new technology across the enterprise.
- working with customers to capture, understand and address current and emerging requirements, establish policies and share best practices;
- working with suppliers, consortia and standards bodies to develop consensus and facilitate interoperability, to evolve and integrate open specifications and open source technologies;
- offering a comprehensive set of services to enhance the operational efficiency of
other consortia;
- and developing and operating the industry’s premier certification service and encouraging procurement of certified products.
- The reasons why The Open Group is well positioned for this role:
- Legal Infrastructure registered under the US co-operative
research act
- Cross Industry, bringing customers and suppliers together
- Vendor and Technology Neutral, no preferred or excluded
technologies
- Global Operation, offices in Europe, US and Japan
- World Leader in Testing and Conformance
- Strong Base in Enterprise Integration
- The Messaging Forum, evolved from the work of EMA and simply focused
on improving the effectiveness of electronic messaging with work in
the following areas:
- Secure Messaging. The Open Group Secure Messaging Challenge
demonstrated multi-vendor end-to-end secure email. This has been
extended to address interoperability issues between different
secure mail scenarios, including security at the domain gateway.
- Coping with Spam. A Managers Guide to coping with Spam is under
development.
- Unified Messaging. Work is going on to better understand the
match between customer requirements and current product
capabilities.
- Instant Messaging. Work has just started on identifying the
issues associated with Instant Messaging in the enterprise.
3.2 Certification
The next phase of the presentation addressed the need for Certification
and ways to develop certification programs.
The underlying objective of certification is very
simply:
Broadly available vendor products that fully
meet the customer need and interoperate with products from other
vendors.
|
 |
The Open Group operates a certification program
under International Trade Mark law.
The Trademark is protected. No-one may use the "Open
O" logo unless they have signed an agreement with The Open
Group.
The use of the Trademark means that the supplier commits that
the product conforms fully to the specification is claims to.
If the Trademark is misused, The Open Group takes legal action
and has a track record of success/ |
|
The development of a Certification Program
potentially involves a number of steps
- Understand the customer need. The Open Group Architecture
Framework (TOGAF) includes a methodology for understanding and
documenting customer needs.
- Define the appropriate solution in terms of a collection or
profile of relevant standards. (The Open Group has a policy of
working with other standards bodies).
- Define how the Certification program will work (The Certification
Policy). This includes the definition of "indicators of
compliance" such as the execution of test suites and/or
participation in interopreability trials to demonstrate
conformance.
At all stages it is necessary to get the buy-in of suppliers
and validate the proposed solutions with customers.
|
 |
There are two approaches that The Open Group offers for certification:
- The Open Group develops and operates certification programs as a
service for other organizations, against specifications provided. In
such cases The Open Group Trademark is not used. Examples of this
include programs developed for:
- Schools Interoperability Forum
- WAP Forum (Now OMA)
- Free Standards Group
- Consensus programs developed by The Open Group against
specifications developed through The Open Group's consensus program.
These are developed where there is a broad industry need. Examples
include:
For the Secure Messaging Gateway Certification program, the second
approach will be used, because
- We believe that there is a broad industry need
- The approach broadens customer buy-in (and increases the value to
vendors by avoiding the development of multiple divergent programs by
different groups)
The elements of a successful certification program are:
| Certification Policy |
The Certification Policy ties together all of the
other elements and defines how the program will operate.
|
| The Specification |
The Specification, referred to as the Product
Standard defines precisely what the product must conform to
in order to be certified. This is usually a profile of different
standards that are integrated to meet the customer need. This
integration process may introduce additional specificity,
including the selection of options within the underlying
standards, but may not "break" the underlying standards.
|
| Trademark License Agreement |
The Agreement that suppliers must execute before
being permitted to use The Open Group trademark.
|
| Trademark Usage Guide |
Rules of the usage of The Open Group's Trademarks. |
| Indicators of Compliance |
Indicators of compliance define how the supplier
must demonstrate conformance before being and application for
certification can be accepted. This may include
- Test reports from formal conformance tests
- Participation in informal testing events
- Vendor declarations
It is important to note that Certification means a commitment
to conformance to the total specification, not simply the elements
that are tested. This means that certification has value, even in
the absence of formal testing.
|
| Formal. Informal Tests |
If the indicators of compliance include any element
of testing, then the appropriate conformance tests, environments,
test scripts etc. have to be developed and tested to the the level
at which they are acceptable as indicators of compliance.
|
| Conformance Statement Questionnaire |
The conformance statement questionnaire (CSQ)
defines how a specific product conforms to the specification.
Wherever there is any alternatives or options in the
specification, the CSQ includes a question so that customers can
make a judgment about any interoperability issues. Completed CSQs
are public documents, allowing different products to be compared.
|
| Certification Application |
The certification application form is the means by
which a supplier requests certification for a product.
|
| Register of Branded Products |
The register of branded products is the definitive
list of currently certified products, accessible via The Open
Group's WEB site.
|
| Customer Procurement |
Since the objective of the whole program is the
broad availability of product, it is important to ensure that
suppliers are motivated to deliver certified product. The most
effective way of achieving this is through committed customer
procurement programs.
|
| Interpretation Process |
There will inevitably be times where the
specification has been interpreted differently by different
parties. In such situations, The Open Group operates an impartial
and anonymous interpretation process allows for clarification of
the ambiguity without the identity of suppliers of any products
involved being disclosed to those making the interpretation.
|
| Renewal |
All certification programs include annual renewal
as a means to ensure ongoing conformance.
|
The items in bold will need to be developed for the SMG Certification
Program. The other elements can be taken "off the shelf" as part
of The Open Group's Open Brand program.
3.3 SMG Certification - Key Tasks
The key tasks that have to be completed for SMG Certification are:
Agree the Specification
The first step is to build consensus with a working group (this is a
joint activity of The Open Group and MHDC)
The specification is subject to the formal Open Group Company
Review process to measure consensus (this is one of the key procedures
that are necessary for the co-operative research act registration.
This is a "yes-if" review. Reviewers define specific changes
that would make the specification acceptable. Members of The Open Group
Messaging Forum will vote on whether to accept the proposed changes.
Define and agree the Conformance Statement Questionnaire
The CSQ, which defines how optionality within the specification is
handled, is developed in the same way as the specification, and is also
subject to the Company
Review process.
Build customer demand
In this project, the commitment of the MHDC participants will achieve
this.
Build vendor buy-in to make products conformant
3.4 Next Steps
The immediate next step will be a working meeting in early September
2003, open to members of The Open Group Messaging Forum and MHDC and
vendors of messaging products.
The objective of the meeting will be to finalize the specification to
be used as the basis for certification.
4. Questions
During the presentation, a number of questions were raised. The
following is not exhaustive, but attempts to address the most significant
issues.
| Q: |
What is the status of the IETF DOMsec
specification? |
| A: |
The RFC has expired and is waiting for further work |
| Q: |
How does the voting work? |
| A: |
During the development work, we will seek
"rough consensus" in the working group.
During the formal review, anyone may raise a Change Request, but
members of the Messaging Forum vote on acceptance. 75% Yes means
acceptance. 75% No means rejection. Anything in between requires
further discussion. 75% represents a stable majority, without
giving any single company the power of veto. |
| Q: |
How do we synchronize with other groups working
in the same area? |
| A: |
We do not normally attempt to synchronize review
cycles with other groups because of different time cycles.
We do have a commitment to respect underlying standards. So if
The Open Group profile references a specific version of another
organization's document, we work within that organization to
"defend" the areas we have adopted. If the other
standard changes, our specification will need to be reviewed. |
| Q: |
What needs to be tested? |
|
The level of testing will be determined as part of
the development of the certification program. The level of testing
can change over time.
Minor "service releases" typically don't require
retesting. Major new releases of a product will require retesting. |
| Q: |
What will this cost? |
| A: |
There will be a royalty associated with
certification. Fees have not yet been determined but are likely to
range between $3000 and $22000 per annum, according to company
size. In particular, we want to ensure that small companies are
not priced out of the program. There will be a significant
discount for members of The Open Group Messaging Forum (in effect,
members will be given full credit for their membership to offset
the certification fees). |
| Q: |
What is the difference between compliance and
interoperability? |
| A: |
There is a fine line. Compliance to the
specification should, if the specifications are totally complete,
result in interoperability. In practice this is not always the
case. Demonstrated interoperability through PLUGfests are valuable
parts of an interoperability certification program.
The Open Group approach to PLUGfests involves closed room
"technical" interaction, under non disclosure, with no
press and marketing people present. This gives engineers the
freedom to admit to and resolve real interoperability problems. |
| Q: |
How do the tasks of The Open Group get
completed, and who provides the staff to carry out the work? |
| A: |
The Open Group is a consortium. The majority of
work is carried out by its members, not by staff of The Open
Group. We expect representatives of customers to provide resource
to define the problem and of suppliers to help develop the
technical specifications. The Open Group provides a technical and
legal infrastructure and some management and facilitation. |
| Q: |
How can we extend involvement beyond MHDC into
other industry areas and other regions? |
| A: |
This is an important aspect of the program. The
best way of achieving this is for participants to introduce us to
other potential participants.
- MHDC can introduce us to similar organizations in other
states
- MHDC members can introduce us to contacts in other
industries
- Messaging system vendors can introduce us to their customers
|
Attendee List
|
