Stream: implementers
Topic: Digital Signature Verification
Grahame Grieve (May 11 2017 at 09:34):
so say I'm a client holding a FHIR document bundle. And it's got a signature, and I want to verify the signature. And I have a handy-dandy FHIR server at my beck and call. How do I get the server to verify it for me?
presumably an operation...? Any inputs other than the document? Output is boolean true|false? or is there more?
John Moehrke (May 12 2017 at 10:09):
which signature are you trying to validate? What purpose are you trying to assure? It could validate as many signatures as possible and return an operationOutcome for each found, indicating what identity the signature was from, success/failure, date/time of that signature, purpose of that signature, and if certificate chain was fully validated. --- There are general IT signature validation services... we should not need to re-invent, but if we do then we should be respectful of their lessons-learned...
Grahame Grieve (May 12 2017 at 11:41):
Well, the first and most obvious use is 'has this document been tampered?' - I'd stick to just that for ow
John Moehrke (May 15 2017 at 20:43):
that is what a timestamp signature service does. It just create a digital signature (XML-Sig) for the bits it is given. The purpose is to sign the bits to detect change, and apply a timestamp within the XML-Sig blob, which is part of the signed stuff. So the who-signs is the service, and the purpose of signature is timestamp signature.
John Moehrke (May 15 2017 at 20:45):
these services exist on the internet... aka Digital Postmark -- https://en.wikipedia.org/wiki/Digital_Postmarks
John Moehrke (May 15 2017 at 20:48):
well... they did exist... hard to support a business ahead of the demand...
Last updated: Apr 12 2022 at 19:14 UTC
