1I/ Application Identity and Trust in Healthcare and beyond

From IIW

Application Identity and Trust in healthcare and beyond

Wednesday 1I

Convener: Alan Viars

Notes-taker(s): Alan Viard


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: Trebuchet 11


The group discussed primarily health care use cases for application trust and endorsement.


Summary:


The POET method where a signed JWT is used to convey a pedigree of an application is a reasonable approach with some caveats thought presented by the group:

  • There must be rules and governance for how endorsing bodies (i.e. JWT signers) manage public keys. Perhaps these rules could be based on the same rules used by certificate authorities, but less stringent.
  • A governing body must exists to managing all endorsers who meet this criteria.
  • A uniform display for the endorsement or lack thief should be adopted.  It took the browser community 7 years to come to an agreement.
  • No significant difference between using x509 and JWKs for key pairs.  x509 certificates could be self-signed in this use case.


Links: 


https://github.com/TransparentHealth/poet

https://github.com/TransparentHealth/python-poetri

https://www.healthit.gov/facas/health-it-policy-committee/hitpc-workgroups/api-task-force

http://carinalliance.com/