Stream: fhircast-github
Topic: fhircast-docs / Issue #234 May 2019 Ballot Comment:
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot opened Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot labeled Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot labeled Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot labeled Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Apr 30 2019 at 19:54):
hl7-fhircast-bot edited Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (May 05 2019 at 02:00):
NiklasSvenzen labeled Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (May 05 2019 at 02:02):
isaacvetter commented on Issue #234
Hey Phil!
Do note that https and authentication is required for each exchange, that no phi is exchanged over GET and that these methods are taken straight from the underlying web sub specification.
Github Notifications (FHIRcast) (May 05 2019 at 02:03):
NiklasSvenzen labeled Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (May 05 2019 at 03:52):
euvitudo commented on Issue #234
Hey Isaac,
I just realized that I was mistaking the fact that query strings are not encrypted in server logs for not encrypted at all. I think I'm ok with this for this issue and #233.
Github Notifications (FHIRcast) (May 08 2019 at 14:57):
wmaethner labeled Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (May 08 2019 at 18:52):
wmaethner commented on Issue #234
## Montreal May 2019 Working Group Vote
xx moved the following disposition, seconded by xx
Disposition: Withdrawn by author
Disposition Comment::+1: For: 12
:expressionless: Abstain: 0
:-1: Against: 0:tada: The motion passed! :tada:
Github Notifications (FHIRcast) (May 08 2019 at 18:52):
wmaethner labeled Issue #234
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Jun 05 2019 at 14:15):
wmaethner unlabeled Issue #234:
## May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Github Notifications (FHIRcast) (Sep 11 2019 at 20:34):
wmaethner commented on Issue #234:
Closing since the author withdrew the comment
Github Notifications (FHIRcast) (Sep 11 2019 at 20:34):
wmaethner closed Issue #234:
May 2019 Ballot Comment:
Submitted by @euvitudo
Chapter/section: Intent Verification Request
Url: https://fhircast.hl7.org/specification/May2019Ballot/#subscribing-and-unsubscribing
Type: NEG :exclamation:
In Person requested: Yes :bust_in_silhouette:Summary:
Comment: Query parameters are inherently insecure and present risk of information leakage of hub-specific metadata to any listeners. In particular, the hub.challenge is easily obtained from the URL and can be echoed from a MITM. A POST via HTTPS would be much more secure and would more properly obfuscate the information in the request. The Session Discovery section mentions that hub.topics are presented in the SMART on FHIR launch. An alternative location to place these data, if GET is preferred, is the HTTP headers.
Existing wording: The Hub verifies a subscription request by sending an HTTPS GET (RFC2818) request to the subscriber's callback URL as given in the subscription request.
Proposed wording: The Hub verifies a subscription request by sending an HTTPS POST request to the subscriber's callback URL as given in the subscription request.
_This issue was imported by @hl7-fhircast-bot from the consolidated FHIRcast May 2019 ballot spreadsheet._
Last updated: Apr 12 2022 at 19:14 UTC
