> I am pleased that NEHTA have finally given us something to go on, and I > am relieved that they are pushing us to adopt what I think is a great > technology.
Agreed, this is a really useful, concrete plan for how things should work, using some excellent technology. > I have only two questions about their strategy: > 1. Not using SSL...? As I understand it, SSL has a very subtle problem which is that the PKI certificates are consumed at lower layers in the establishment of the HTTPS connection ,and are hence not available for non-repudiation of the actual payload. So whilst we can connect and mutually authenticate to each other, once the connection is finished, the only proof we had of each others identity, or proof of the content of the message is whatever we have logged in our systems. And that may be fine, and is certainly as much as most systems are doing today. But the WS Security standard actually allows the payload to be signed and encrypted, allowing both ends to mutually authenticate, but also keep a signed record of the message payload. I think this is generally considered the way to go (especially in health where non-repudiation of messages may be important) Andrew _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
