FHIR Chat · FHIR's JSON canonicalization scheme is normative? · implementers

Stream: implementers

Topic: FHIR's JSON canonicalization scheme is normative?

view this post on Zulip Josh Mandel (Sep 28 2021 at 17:54):

http://build.fhir.org/json.html#canonical is normative. Has anyone implemented this in a real-world system? (Or any system?)

view this post on Zulip Grahame Grieve (Sep 29 2021 at 06:08):

I have and played with it for signatures, but not in real world use case

view this post on Zulip Grahame Grieve (Sep 29 2021 at 06:09):

@Evgenii Kogan did you use this?

view this post on Zulip Evgenii Kogan (Sep 30 2021 at 08:38):

Yes, we do. We require laboratories to send JSONmin for signed lab results (bundle). Not every result is now signed, but some of them, starting at 2020.

view this post on Zulip John Moehrke (Sep 30 2021 at 12:58):

what kind of signature do you use?

view this post on Zulip Evgenii Kogan (Sep 30 2021 at 15:06):

We use qualified advanced digital signature.

view this post on Zulip Evgenii Kogan (Sep 30 2021 at 15:27):

Ups. API requires to send both JSON and PDF, and allows to sign or leave unsigned any of them. I am now unsure, how many JSONs are really signed, if any. I will come back with the answer.

view this post on Zulip nicola (RIO/SS) (Sep 30 2021 at 17:09):

Is FHIR canonization the same as https://www.rfc-editor.org/rfc/rfc8785?

view this post on Zulip Eric Haas (Sep 30 2021 at 17:55):

@Evgenii Kogan have you documented your signature requirements for json and assuming is in English - can you share your documentation?

view this post on Zulip Eric Haas (Sep 30 2021 at 18:04):

I guess I would ask if you follow https://www.rfc-editor.org/rfc/rfc8785 does that mean you have got http://build.fhir.org/json.html#canonical covered? expecially for the the text/narrative xhtml parts?

view this post on Zulip Josh Mandel (Sep 30 2021 at 23:03):

@nicola (RIO/SS) it is not. Especially around handling numbers, I think.

view this post on Zulip Evgenii Kogan (Oct 26 2021 at 20:28):

@Eric Haas Sorry for dropping out. The doc is in Russian. The only signature technical requirement in it is the following:
The Lab Result should be sent with the qualified advanced digital signature of the Laboratory Organisation. Signature should use R34.10-2012 algorithms (it is a local standard), have Cryptographic Message Syntax, and be sent in the Base64binary format in the HTTP header.
Example: . signature: MIIThvcNAQcCoIITZjCCE2ICAQExDjAMBggqhQMHAQECAgUAMAsGCSqGSIb3DQEHAa... 

In order to make the signature validation possible JSON should be minimised (JSONmin). It should not contain tab, space and other special symbols. Example: . {"resourceType":"Bundle","type":"transaction","meta":{"profile":["Struct...

view this post on Zulip Evgenii Kogan (Oct 26 2021 at 20:32):

...canonical - It is not covered. Developers say there was no need for that, because the whole JSON string is signed, not separate fields.

view this post on Zulip Evgenii Kogan (Oct 26 2021 at 20:37):

Additionally, I asked about real signatures - yes, some Labs send signed JSON strings.

view this post on Zulip Eric Haas (Oct 26 2021 at 20:51):

thanks for the summary, what was the rationale for putting the signature in the header and not using the signature element or Provenance?

view this post on Zulip Josh Mandel (Oct 27 2021 at 21:14):

Signature element of what, in a single lab result? Provenance stored where? An approach using those here isn't obvious, and signing a well defined serialized string... is pretty straightforward.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -