FHIR Chat · VCI directory snapshot and audit log · smart/health-cards

Stream: smart/health-cards

Topic: VCI directory snapshot and audit log

view this post on Zulip Christian Paquin (Mar 24 2022 at 15:07):

I'd like to point out the VCI directory now produces a daily signed snapshot of the issuer keys and an audit log; see the README for details. The snapshot allows applications to validate SHCs in an offline manner. Thanks @Chris Lumpkin, @Adrian Soghoian, and @James Kizer for the help on setting that up!

view this post on Zulip John Moehrke (Mar 24 2022 at 16:04):

why not using the FHIR AuditEvent for those audit logs?

view this post on Zulip Josh Mandel (Mar 24 2022 at 16:14):

What would it look like, and how would it help?

view this post on Zulip John Moehrke (Mar 24 2022 at 16:27):

I would be happy to help figure out what it might look like. I don't know what data you are recording today, just noticed that the example given is not a FHIR AuditEvent.

view this post on Zulip John Moehrke (Mar 24 2022 at 16:29):

how it would help? Well, it would be following a standard, vs project defined schema... we are a standards organization, right? so we should use our own standards when they are indicating they are fit for the purpose.
The exercise might also inform improvements to AuditEvent... we are a standards organization, so should also eat our own dog food.

view this post on Zulip Christian Paquin (Mar 24 2022 at 17:34):

Are FHIR AuditEvent meant to log interactions with a FHIR server (which is not the case here)? The current audit log reports statistics and analysis on the VCI directory content. I'm not sure I understand how this information fits the AuditEvent use cases.

view this post on Zulip AG Consulting (Mar 25 2022 at 05:04):

Hello to all that read this.

I am Anthony Gonzalez and my firm, AG Consulting, is attempting to aggregate, to an end to end lab solution for a client, the creation of Smart Health cards with labs results and possibly immunization data as well. After reading over the available material online that provides an overview and the Smart Health card creation and deployment process (this will be a strictly "print" solution via paper or PDF with QR Code embedded), one of the first steps described is to acquire a VCI for the customers medical practice operation. In this case, as previously mentioned, a lab testing and immunization clinic.

I have reviewed much of the available documentation, including the Vaccine Credential Initiative Directory Agreement, and finally I have found the VCI Directory Issuer Request Form in Google Docs. My firm will be subcontracted to maintain the SHC's on it's own server as part of the working arrangement. Obviously being a medical bespoke software firm, we ARE NOT the clinic, thus, my question is as follows:

Who fills out the request form, the the lab or the company maintaining the data for the lab? Who is supposed to register based upon the records and who maintains them?

I need clarification before I send this to my client to confirm which domains need to be listed under the lab's name.

Thank you in advance for any help.

A Gonzalez
Principal
AG Consulting

view this post on Zulip Josh Mandel (Mar 25 2022 at 13:14):

Re: VCI Directory: The clinic (your customer) is the entity that needs to be registered with the VCI Directory, because they are the entity responsible for making trusted assertions. As a technology provider you can help tor.giode them with submitting the paperwork, but they need to be parties to the agreement.

view this post on Zulip AG Consulting (Mar 25 2022 at 16:14):

Thank you Josh, I will get started with them on assisting them to register.

view this post on Zulip JP Pollak (Mar 25 2022 at 16:18):

@AG Consulting it sounds like you're all over it but this is a good place to start to make sure you're prepared with the various req's

view this post on Zulip AG Consulting (Mar 25 2022 at 18:17):

JP, I happened upon that site yesterday. This is the best to use for general reference?

JP Pollak said:

AG Consulting it sounds like you're all over it but this is a good place to start to make sure you're prepared with the various req's

view this post on Zulip JP Pollak (Mar 25 2022 at 19:03):

@AG Consulting well, spec.smarthealth.cards is the overall place to start, but for listing in the directory, yes.

view this post on Zulip AG Consulting (Mar 25 2022 at 19:36):

Okay, thank you.

view this post on Zulip sonia nair (Mar 31 2022 at 20:41):

Hello we are trying to decrypt CVS issued QR at our company and it seems that the QR code given to a person is not matching what the vci registry has. Is there anyone here who is aware of this issue OR anyone from CVS technology to investigate

view this post on Zulip Christian Paquin (Mar 31 2022 at 20:47):

sonia nair said:

it seems that the QR code given to a person is not matching what the vci registry has.

What do you mean by "not matching"? The card's issuer iss URL does not appear in the VCI directory (which, for CVS, should be "https://api.cvshealth.com/smarthealth/v1/card")? Or does the signature fail? You can try the test verifier portal to see if there are issues with the card.

view this post on Zulip sonia nair (Apr 01 2022 at 14:53):

the QR code that is shared with the person , does not have "CVShealth" , instead they have "CVSCare", hence the QR cannot be validated

view this post on Zulip Christian Paquin (Apr 02 2022 at 01:46):

This indeed should be handled by the issuer

view this post on Zulip JP Pollak (Apr 02 2022 at 18:25):

@sonia nair we have notified them of the issue!

view this post on Zulip sonia nair (Apr 12 2022 at 14:15):

Thank you so much @JP Pollak

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -