FHIR Chat · Do we need to say anything about Certificate Management · Security and Privacy

Stream: Security and Privacy

Topic: Do we need to say anything about Certificate Management

view this post on Zulip John Moehrke (Apr 03 2018 at 14:00):

FHIR recommends use of HTTPS, so we at least have a server certificate. Given that this is typical of all http REST, actually all http anything, do we need to say anything in the FHIR specification about Certificate Management?

view this post on Zulip Kevin Shekleton (Apr 03 2018 at 15:23):

My opinion falls in line with other similar questions we've raised around existing security topics (eg, CORS) -- there is already a ton of documentation around security best practices for certificate management and more broadly TLS configuration.

Additionally, certificate and TLS configuration is an ever growing topic and there are always new best practices popping up. For instance, HPKP is no longer recommended and CT has gotten a lot more visibility. I don't think we'd keep up on an up-to-date set of best practices.

view this post on Zulip Grahame Grieve (Apr 03 2018 at 18:15):

at most, we might point out that clients should be able to deal with client certificate rejection in the implementers check list

view this post on Zulip John Moehrke (Apr 03 2018 at 19:19):

some basic certificate management recommendations as part of the checklist is easy... (we do have some notes in the http communication section, which we just agreed to up our recommendation to TLS 1.2)

view this post on Zulip Kevin Shekleton (Apr 03 2018 at 19:26):

...which we now need to update to TLS 1.3. :smile:

view this post on Zulip John Moehrke (Apr 03 2018 at 19:28):

not so fast... TLS 1.3 has been approved for publication, but has not yet been given a number and published...

view this post on Zulip Kevin Shekleton (Apr 03 2018 at 19:29):

Eh, it's already been implemented which is what really matters :-)

view this post on Zulip Nick Hatt (Apr 03 2018 at 21:53):

I can see where the ability to specify a CA bundle in an IG might be useful, but also could clearly be out of scope. DirectTrust would be an example of this.

view this post on Zulip John Moehrke (Apr 18 2018 at 15:14):

Direct Trust is actively involved in FHIR Connectathon tracks leveraging their track record and experience in certificate based authentication supporting secure communication. http://wiki.hl7.org/index.php?title=201805_Direct/Certificates_Track It would be good to get others involved to help drive toward an understanding of what should (could) be said in the FHIR standard that supports but does not tie us to a specific CA solution.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -