1I/ Application Identity and Trust in Healthcare and beyond
From IIW
Application Identity and Trust in healthcare and beyond
Wednesday 1I
Convener: Alan Viars
Notes-taker(s): Alan Viard
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: Trebuchet 11
The group discussed primarily health care use cases for application trust and endorsement.
Summary:
The POET method where a signed JWT is used to convey a pedigree of an application is a reasonable approach with some caveats thought presented by the group:
- There must be rules and governance for how endorsing bodies (i.e. JWT signers) manage public keys. Perhaps these rules could be based on the same rules used by certificate authorities, but less stringent.
- A governing body must exists to managing all endorsers who meet this criteria.
- A uniform display for the endorsement or lack thief should be adopted. It took the browser community 7 years to come to an agreement.
- No significant difference between using x509 and JWKs for key pairs. x509 certificates could be self-signed in this use case.
Links:
https://github.com/TransparentHealth/poet
https://github.com/TransparentHealth/python-poetri
https://www.healthit.gov/facas/health-it-policy-committee/hitpc-workgroups/api-task-force