Stream: Security and Privacy
Topic: Trusted app instance registration and UDAP
Josh Mandel (Dec 14 2021 at 19:42):
Last week @Gino Canessa and I had the chance to do a deep dive on "trusted registration" for individual client instances (e.g., a copy of an app on my phone that authenticates with its own device-bound keys). We looked at some of the building blocks in UDAP for this, which were quite helpful -- but we also documented a number of discovered issues.
https://www.youtube.com/watch?v=PyjxmVPSnx8 is an overview video talking through the use case, technical approach, and the (quick and dirty!) demo we built.
- Slide Deck with an overview of the problem + workflow
- GitHub Repo for our "spike" project
- UDAP from Sept 2021 Ballot + https://udap.org
In addition to these technical findings, one of the process challenges which I've highlighted in FHIR-33275 is that the UDAP ballot depends directly on drafts that aren't going through the HL7 process, so the discovered issues re: endorsement metadata, signatures schemes, etc can't adequately be addressed within the scope of the 2021 ballot. I'd really like to see UDAP support (or at least: leave out of scope and not make decisions to prevent) this pattern of client registration.
Josh Mandel (Dec 14 2021 at 20:21):
FYI @Luis Maas, this was the first time I've rolled up my sleeves with UDAP :-)
Luis Maas (Dec 14 2021 at 20:43):
Great! I'll take a look. Several areas where your input on this would be welcomed!
Last updated: Apr 12 2022 at 19:14 UTC
