FHIR Chat · Public & Private Keys For Bulk Client Registration · bulk data

Stream: bulk data

Topic: Public & Private Keys For Bulk Client Registration

view this post on Zulip Nihar (Aug 23 2021 at 14:28):

Hello: We are implementing the Registration Process For Bulk Client and we have few queries related to the public and private key Pair -

Do we need to mandatorily implement functions for X.509 certificate for Public & Private Key Pair & X.509 certificate Thumbprint, to have client upload the Pair of Keys during registration...?? Please suggest.

Thanks in advance.

view this post on Zulip Vladimir Ignatov (Aug 23 2021 at 14:40):

  • Generate the key pair however you want. The client only needs the private key to function.
  • The private key can be JWK, PEM, or whatever your code is working with.
  • The public key must be JWK
  • If the server you are registering with supports JWKS URL auth, put your public JWK in a JWKS and host that on public location. Then provide that as jwks url at registration
  • If the server you are registering with does not support JWKS URL auth, then you will have to provide that public JWK at registration

In any case, you DO NOT upload a key pair anywhere.

view this post on Zulip Nihar (Aug 23 2021 at 15:24):

Hi @Vladimir Ignatov :
It means Private Key is never required to reach to server for authorization and authentication,
what I mean is: "Client uploads the Public Key during registration then Client during the access token request creates the JWT that is signed by Private Key...after that when the JWT reaches to the Server, server validates the signature only using the Public Key"
Please suggest, is this the correct understanding..?

view this post on Zulip Vladimir Ignatov (Aug 23 2021 at 15:30):

Exactly! The private key must remain private and not reach any servers. Your client uses it to sign the JWT. Because the server knows what the corresponding public key is (provided at registration or fetched from a jwks url later), it will be able to verify that your token has been signed with the correct private key - the one that only you have access to.

view this post on Zulip John Moehrke (Aug 23 2021 at 15:34):

I think this is something the "Security for Scalable Registration, Authentication, and Authorization" implementation guide that is out for ballot is trying to clarify -- http://hl7.org/fhir/us/udap-security/2021Sep/index.html

view this post on Zulip Nihar (Aug 23 2021 at 18:53):

@Vladimir Ignatov : Thank you much for the clarity and getting us to the correct implementation direction. Understood the process.
@John Moehrke : In the implementation guide, it defines that x5c will be a required parameter in future so does it mean that implementing the function of X509 Certification to the Public Keys will be mandatory under the client registration process. Are we understanding this correctly from the ballot implementation guide? Please suggest.

view this post on Zulip John Moehrke (Aug 23 2021 at 18:54):

please submit a comment on the ballot

view this post on Zulip Nihar (Aug 24 2021 at 14:27):

Hi @John Moehrke : Thank you for the clarification. Can you please also guide us on to submit a comment on the ballot..!!!

view this post on Zulip John Moehrke (Aug 24 2021 at 14:31):

the bottom of the spec has the link to making comments -- look for "Propose a Change"

view this post on Zulip Lloyd McKenzie (Aug 24 2021 at 14:37):

You'll need to do a one-time (free) registration and a human will confirm that you seem like a real human. After that, you can submit feedback at will.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -