FHIR Chat · SDPi Technical Framework Models · SDPi+FHIR

Stream: SDPi+FHIR

Topic: SDPi Technical Framework Models

view this post on Zulip Peter Kranich (Jun 22 2020 at 10:32):

We reviewed the UML models David G. put together (really a great job -thank David) on a technical level. We had a question regarding why the device discovery should be "unsecured". Our understanding was that all device participants should already have the appropriate certificates to establish a secure communication (however, by now it is open how the certificates are distributed to the devices). We also saw this requirement: R0015: A DEVICE SHOULD support receiving and responding to a Probe SOAP ENVELOPE over HTTP using a SECURE CHANNEL.

view this post on Zulip Stefan Schlichting (Jun 22 2020 at 11:21):

Peter Kranich said:

We reviewed the UML models David G. put together (really a great job -thank David) on a technical level. We had a question regarding why the device discovery should be "unsecured". Our understanding was that all device participants should already have the appropriate certificates to establish a secure communication (however, by now it is open how the certificates are distributed to the devices). We also saw this requirement: R0015: A DEVICE SHOULD support receiving and responding to a Probe SOAP ENVELOPE over HTTP using a SECURE CHANNEL.

Hi Peter,

the initial device discovery is currently unsecured (no confidentiality, no modification protection) even though all SDC Participants have already certificates. mostly in order to reduce processing requirements.
During the inital discovery the network topology including endpoints is discovered, the capabilities and the patient context is than retrieved after establishing a secure connection.
R0015 (dpws:R4072 is even more strict) is actually for the purpose that you can send a directed probe to the service provider esp. after you have discovered the network topology and therefore the endpoint.

If integrity protection would be required, an SDC service provider can provide a WS-Discovery compact signature along with the initial discovery messages. The consumer would be able to validate the discovery message after retrieving the full certificate chain from the service provider and checking if the key used for the compact signature is the part of an eligible certificate chain.

view this post on Zulip Peter Kranich (Jun 22 2020 at 11:59):

Thanks, Stefan.

view this post on Zulip Stefan Schlichting (Jun 22 2020 at 13:53):

Peter Kranich said:

Thanks, Stefan.

You are welcome!

view this post on Zulip Todd Cooper (Jun 22 2020 at 17:34):

And this is specifically something that we will profile in SDPi, in order to establish a consistent approach and "expectations" between conformant systems.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -