Skip to content
FAST Security STU3 Prioritization Survey
Welcome to our FAST Security Survey for STU 3 priorities. We will be asking for some context, overall priority, and then priority within each potential task. Please provide your feedback and reach out if you want to have a direct conversation.
1.
Section A - About You
Organization Name
2.
Your role (check all that apply)
Payer
Provider
Health IT Vendor
EHR
HIE/QHIN
Identity/PKI provider
Testing/Validation
Government
Standards SME
Other (please specify)
3.
Region(s) you operate in
US
EU
UK
Canada
APAC
LATAM
Other (please specify)
4.
Implementation status with FAST Security today
Planning
Prototyping
Testing/Connectathon
Pilot
Production
Not using yet
5.
Section B - Overall STU3 Priorities
Check your top 3 choices for STU 3
Post Quantum Cryptography (signing + TLS hybrid)
https://www.nist.gov/cybersecurity/what-post-quantum-cryptography
Token Binding / Proof of Possession for bearer tokens
https://auth0.com/docs/secure/sender-constraining/demonstrating-proof-of-possession-dpop
JKU (JWK Set URL) support
https://stytch.com/blog/understanding-jwks/
End-to-end application-layer encryption / signing (multi-hop)
https://utimaco.com/service/knowledge-base/encryption/what-application-layer-encryption
Universal Realm publication
Packaging changes (split Tiered OAUTH into a separate IG)
Other (please specify)
6.
For your top 3 items above, briefly say why you ranked it highly and what success looks like
7.
Additional comments
8.
Section C - Post-Quantum Cryptography (PQC) - Priority 2026-2028
Identify a priority ( 1 is Critical interest and 5 is low)
1 - Critical
2
3
4
5 - Low
Not a priority
Critical
Other (please specify)
9.
Preferred signing approach during transition
Dual signatures (legacy + PQC) o assertions (JSON serialization)
PQC - only once available
Legacy until mandated
Other (please specify)
10.
What blockers do you forsee for PQC (tooling, libraries, performance, policy, certification)?
Tooling
Libraries
Performance
Policy
Certification
Other (please specify)
11.
Section D - Token Binding / Proof of Possession
Priority to reduce bearer-token misuse by binding tokens to a client key (non-mTLS PoP)
1 is top and 5 is lowest level
1
2
3
4
5
Other (please specify)
12.
If adopted, preferred posture
Optional
Recommended
Required for B2B
Do not include
Other (please specify)
13.
Where would you use PoP first?
Bulk / batch data
Payer-to-Payer
Prior auth
Directory queries
Patient access
Other (please specify)
14.
Additional comments
15.
Section E - JKU (JWK Set URL) Support
Interest in JKU as an alternative to embedded certs
Strong interest
Some interest
Neutral
Concerned about risk
Not needed
Other (please specify)
16.
What would you need to adopt JKU safely?
Pinning rules
Caching rules
Rotation guidance
Availability/SPOF Guidance
Example configs
Conformance tests
Other (please specify)
17.
Additional comments
18.
Section F- End-to-End Message Protection (Scope Exploration)
Appetite to explore application-layer encryption/signing for multi-hop paths(beyond TLS)
Develop in STU3
Document as future consideration
Not interested
Other (please specify)
19.
If interested, name potential use cases you see as likely candidates (e.g., intermediaries, gateways, content confidentiality across hops)
20.
Additional comments
21.
Section G - Universal Realm Publication - Path Preference
Minimal/no changes and send for May Universal Realm ballot
Add capabilities before sending to Universal ballot togetheer later in 2026
Publish Universal and a dependent US-Realm profile simultaneously in 2026
22.
For non-US implementers: what, if any, changes would you see as necessary for adoption?
23.
Section H Packaging (Split vs. Bundled IG)
Should Tiered OAuth be split into its own IG or remain within FAST Security?
Split into its own IG
Remain with FAST Security
Other (please specify)
24.
Additional comments
25.
Section I
-
Adoption, Testing, and Timelines
What do you see as potential for testing at the May and/or September Connectathon? (Check all that apply)
Token binding
JKU
PQC dual-signatures
TLS hybrid KEX
Nothing this round
Other (please specify)
26.
What additional resources would you need from FAST to pilot?
Sample configs
Reference implementations
Test scripts & certifications
Security considerations
Interop matrix
Office hours
Other (please specify)
27.
Target timeline for your org to try one new capabilty
Multiple choice with all in Q26
< 6 months
6-12 months
12-18 months
18+ months
Not planned
Other (please specify)
28.
Section J - External Alignment
Where are you seeing ambiguity or conflict with Da Vinci HRex (e.g., RFC 8705 usage, multiple security options?
29.
Which forums should FAST deepen coordination with?
IETF OAUTH
JWT/JWS JOSE
HL7 Security WG
Da Vinci Architecture
TEFCA/RCE
CARIN
Kantara
PKI Consortium
Open ID Foundation
Other (please specify)
30.
Section K - Final
What other topics should we consider for STU3?
31.
Additional comments
32.
Please enter your email if you would like to be contacted for follow-up or a brief interview?
