Stream: fhircast-github
Topic: fhircast-docs / Issue #233 May 2019 Ballot Comment:
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot opened Issue #233
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot labeled Issue #233
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot labeled Issue #233
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot labeled Issue #233
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot edited Issue #233
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (May 05 2019 at 02:02):
NiklasSvenzen labeled Issue #233
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (May 05 2019 at 02:03):
isaacvetter commented on Issue #233
Do note that https and authentication is required for each exchange, that no phi is exchanged over GET and that these methods are taken straight from the underlying web sub specification
Github Notifications (FHIRcast) (May 08 2019 at 18:52):
wmaethner commented on Issue #233
## Montreal May 2019 Working Group Vote
xx moved the following disposition, seconded by xx
Disposition: Withdrawn by author
Disposition Comment::+1: For: 12
:expressionless: Abstain: 0
:-1: Against: 0:tada: The motion passed! :tada:
Github Notifications (FHIRcast) (May 08 2019 at 18:52):
wmaethner labeled Issue #233
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Aug 06 2019 at 15:12):
wmaethner closed Issue #233:
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Subscription Denial
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the denial. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTP GET request to the subscriber's callback URL as given in the subscription request.
Proposed wording: If (and when) the subscription is denied, the Hub MUST inform the subscriber by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Last updated: Apr 12 2022 at 19:14 UTC
