> > c) Be digitally signed by the referring/requesting practitioner using an > > individual > > private key for which there is a current public key certificate > > recognised by the > > HIC (in accordance with HIC's PKI standards), to allow a specialist, > > consultant physician, or Approved Pathology Practitioner or medical > > practitioner to verify the authenticity of the Referral or Request upon > > receipt.
> There is a political question here which, although I know we've discussed it > to death, I'm still no closer to resolution. > Fundamentally, the issue is whether HIC have the moral right or the technical > competency to control crypto between private practitioners. IMHO no and no. Ian, I think there is a problem with looking at this purely as a technical issue - you are right that technically HIC would be the last organisation I'd want setting crypto standards between parties. If all you are interested in is a technical solution then self signed certificates, GPG, etc will all satisfy a technical requirement to get data from one point to other encrypted and with some form of digital signature. The problem for HIC is that they have to layer a technical solution with some sort of legal framework - unfortunately lawyers aren't very creative people so the legal framework they use is the standard legal framework for PKI. In Australia, the legal framework for PKI is gatekeeper (details on the agimo site). This site gives some gory details about the legal relationships a PKI framework establishes. http://www.oznetlaw.net/subcategories.asp?topicid=40&categoryid=193&subcategoryid=339 > Correct me if I'm wrong but: > - HIC still don't allow users to generate keys, This is a by product of the standard gatekeeper contractual arrangements I believe. Keep in mind that the RA, as part of the contract with the GP is making an assertion about the security of the private key in the period before it is handed over - obviously they can't make this statement if they didn't have physical control over the dongle at key generation time. > - still no linux drivers for the Individual dongles I think HIC got pretty unlucky - it seems Rainbow got bought out by Safenet Inc who don't seem to be interested in linux too much. It would be good if HIC could allow you to choose which dongle you want - there are quite a few manufacturers out there now and HIC could use a fair bit of muscle to get some good deals I imagine. > - still very onerous contract for doctors. Basically we can't be trusted to > generate keys, but can be trusted to indemnify HeSA for any > mistakes/insecurities in this same process. I think you will find these are all along the lines of standard Gatekeeper agreements. I don't necessarily agree with the PKI framework being used here - for one, I think it comes from a purely economic background and has some interesting issues regarding limiting liability in a medical situation. But I also think it's unfair to think that HIC are stopping people from using GPG or home grown keys purely out of spite or incompetence. They obviously have legal advice that recommends this as a framework that can be used - in the absence of anyone developing a different framework to allow GPG or similar, I imagine it is the way it is going to be for the foreseeable future (though it should be noted that gatekeeper itself recently underwent some large changes of which I don't really know any details). IANAL, but I just did a law subject discussing PKI so I thought I'd contribute some thoughts.. Andrew _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
