5H/ Certified Self-Sovereign Signature (An e-prescribing example)
From IIW
Certified Self-Sovereign Signature
Wednesday 5H
Convener: Adrian Gropper
Notes-taker(s): David Huseby
Tags for the session - technology discussed/ideas considered:
Self-soveriegnty
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- The target application is e-prescribing controlled substances by doctors for patients.
- Patients and doctors are reluctant to use an institutional system for tracking prescriptions because of privacy issues.
- The regulatory framework is enforced by the DEA and is well understood.
- All prescriptions have DEA mandated items:
- MD-DEA #
- System audit
- The software solution is comprised of two main pieces: one part for the MD, one for the patient.
- The MD has a DID for logging into the electronic health records (EHR) system.
- The MD uses their DID for signing prescriptions.
- The DEA requirements for e-prescribing:
- Requires 2-factor auth and one factor is a MD-FBCA issued certificate used for signing.
- Access to the e-prescribe software has to be signed off on by at least one other person who has a MD-DEA #.
- Can we build a system that meets these requirements using any of the verifiable claims and distributed identity solutions.
Solution 1
- Provisioning
- Generate an ECC master keypair for the MD.
- Submit the ECC master public key, DID, and MD-DEA # to the FBCA to issue a certificate.
- Store the certificate in the DDO.
- Prescribing
- For each prescription, generate a nonce use to generate signing keypair from the master keypair.
- Sign the prescription including the nonce and the DID.
- Verify
- Use the DID to look up the DDO to get the certificate containing the master public key and the MD-DEA#.
- Use the MD-DEA# to check the DEA API for revocation status.
- Verify the prescription signature.
- Verify the public key is derived from the master public key.