Stream: australia
Topic: NCTS Profile Discussions
Grahame Grieve (May 18 2016 at 00:39):
CSA-9 - why are those operations SHOULD? I think they are more important than translation, which is difficult to use
Grahame Grieve (May 18 2016 at 00:42):
CSA-15 - this would appear to be a SHOULD - why force a server to implement this if it will never run in a closed secure zone?
Grahame Grieve (May 18 2016 at 00:43):
CSA-17 through CSA-21 are really hard. I have no idea what settings to use on openSSL, for instance, to conform to these
Grahame Grieve (May 18 2016 at 00:43):
and I expect that CSA-20 will be problematic operationally if I figured out how to conform to them
Grahame Grieve (May 18 2016 at 00:50):
for instance, I believe this excludes windows phone based clients
Grahame Grieve (May 18 2016 at 01:03):
and is there anyway to test this? I'd like to know how far from this https://terminology.hl7.org.au/closed is
Michael Lawley (May 18 2016 at 01:10):
CSA-9 (b) Does "value set based validation" mean $validate on the ValueSet type?
Grahame Grieve (May 18 2016 at 01:11):
that's how I interpreted it
Michael Lawley (May 18 2016 at 01:12):
+1 for CSA-15 being SHOULD
Michael Lawley (May 18 2016 at 01:13):
CSA-17 through CSA-21 should at least be supported by implementation guidance for common libraries such as OpenSSL so that people can easily "do it right"
Grahame Grieve (May 18 2016 at 01:14):
yep. hard stuff
Michael Lawley (May 18 2016 at 01:21):
CSA-29 what if the server only supports HTTP and unauthenticated access?
Michael Lawley (May 18 2016 at 01:22):
CSA-31 browsers will not do this
Grahame Grieve (May 18 2016 at 01:22):
CSA-22 - same comment as CSA-15
Grahame Grieve (May 18 2016 at 01:23):
I don't know what CSA-23 means
Grahame Grieve (May 18 2016 at 01:23):
I mean, i think it means, what automatically happens during the SSL hand-shake. if it doesn't, how do I conform to it or not?
Grahame Grieve (May 18 2016 at 01:24):
CSA-26 - browser based applications won't be able to conform to this either. Nor should they have to
Michael Lawley (May 18 2016 at 01:24):
CSA-32 runs counter to oft-provided security advice for securing production web servers
Grahame Grieve (May 18 2016 at 01:24):
@Michael Lawley this is fun. we can fill Reuben;s day up while he's up there speaking
Grahame Grieve (May 18 2016 at 01:25):
I don't understand CSA-29 at all
Grahame Grieve (May 18 2016 at 01:25):
either you enforce OAuth itself, or you allow any kind of bearer token
Michael Lawley (May 18 2016 at 01:28):
CSA-23 etc. I don't either; it's unclear to me whether this is different to the "normal" behaviour of establishing a TLS connection with standard libraries (ie as you might get with Java, Springboot, etc)
Michael Lawley (May 18 2016 at 01:34):
CSA-33 if there were multiple roots, wouldn't they, by definition, be different servers/services?
Michael Lawley (May 18 2016 at 01:34):
CSA-34 not at the same time :-)
Michael Lawley (May 18 2016 at 01:36):
CSA-35, CSA-37 are these just re-statements of the FHIR RESTful API requirements?
Michael Lawley (May 18 2016 at 01:37):
CSA-36 _format MUST allow for the simple values "json" and "xml"
Michael Lawley (May 18 2016 at 01:40):
[For context, all these CSA-xx references are with respect to this document https://collaborate.nehta.gov.au/download/attachments/5178650/NCTS%20Conformant%20Server%20Applications-TSS-1%200.pdf?version=1&modificationDate=1463385282066&api=v2]
Grahame Grieve (May 18 2016 at 02:08):
@Michael Lawley - why do you see CSA-32 as a security issue?
Grahame Grieve (May 18 2016 at 02:09):
CSA-31 and CSA-32 seem like they are intended to create a custom trading arrangement that divides the eco-system. I don't understand their benefit at all.
Grahame Grieve (May 18 2016 at 02:10):
require an extension in the conformance reosurce, if you will, but it should be done out of band, in the conformance stuff, and not on the headers, which many people can't control well
Michael Lawley (May 18 2016 at 02:10):
We get advice from pen testers & security types that when setting up, eg, Apache, that the headers that indicate the Apache version should be removed
Grahame Grieve (May 18 2016 at 02:10):
but this is not the software version, it's the spec version
Grahame Grieve (May 18 2016 at 02:11):
it's not going to help a hacker find stack vulnerabilities
Grahame Grieve (May 18 2016 at 02:11):
agree CSA-33 is a non-statement
Michael Lawley (May 18 2016 at 02:13):
of course - spec version not software version (that's in the /metadata :-)
but absolutely agree that the headers are not an obviously useful thing and requiring them violates the requirement that browsers are valid clients
Grahame Grieve (May 18 2016 at 02:15):
CSA-43 & CSA-47 appear to require that all content is conformant to the content specifications
Grahame Grieve (May 18 2016 at 03:59):
CSA-43 seems like a null statement
Grahame Grieve (May 18 2016 at 04:01):
(deleted)
Grahame Grieve (May 18 2016 at 04:04):
CSA-43 - I'm not sure what a pre-condition is. If you have to meet this pre-condition to do a create.... or if you have to meet this pre-condition to apply the rest of the conformance statements - or whether it's just a null statement
Grahame Grieve (May 18 2016 at 04:04):
CSA-44 is wrong twice over - client should not have to check (though you might have a rule that it needs to handle errors gracefully), and the conformance resource is the wrong place to look
Peter Postmus (May 18 2016 at 04:13):
DELETE method for http://terminology.hl7.org.au/open/Patient/11 "Resource Id Mismatch 11/10 (2)" while the patient 11 certainly exist
Last updated: Apr 12 2022 at 19:14 UTC
