Thomas Beale wrote: > Tim Churches wrote: >> One of the reasons why people are reluctant to include facilities for >> physical deletion seems to be the need for a legal record of the >> information which was available to clinicians and others at particular >> points in time. That's a reasonable concern, but such concerns can only >> be addressed if use is made of digital notarisation of records by a >> trusted third-party notary. Such notarisation needs to be tightly >> integrated with the back-end storage mechanism, to permit digital >> counter-signing of each version of each record, not just the whole >> database. >> > we have actually consciously made the change control model (section 6 in > http://svn.openehr.org/specification/BRANCHES/Release-1.1-candidate/publishing/architecture/rm/common_im.pdf) > compatible with notarisation by a TTP; in particular, the idea that a > digital digest can be generated with each new version of any version > container, and the digest sent elsewhere; then when copies of the > versions are sent in Extracts to another location, the receiver has a > way of verifying the authenticity (regenerate digest and compare with > requested copy from notary service). We have yet gone to the lengths of > explicitly modelling more than the digest (which is described in the > forthcoming EHR Extract spec), but i suspect we might in the future.
OK, that sounds good. An alternative modus operandi for digital notarisation is for the EHR to generate a self-signed digest for each new version of a record, send that digest to a third-party notary, who then counter-signs the digest and sends it back to the EHR, which then stores the counter-signed disgest in the repository alongside the record to which it applies. That means that the digital notary does not need to store anything other than their complete history of private signing key(s), and anyone can check the validity of the notary's counter-signature by referencing the public signing key for that notary for the date on which the record was counter-signed. The notary does not have to be consulted or bothered for that validity check to occur. If the counter-signature is valid, then the stored digest is valid, and if a new digest calculated from that version of the record matches teh stored digest, then it provides strong evidence that that version of the record existed in that state at some time prior to the counter-signing date. Because notaries don't need to remember anything other than their signing keys, they can be very cheap to set up and operate, and can be made very secure eg run a hardened Web server with minimal facilities and no writable storage. But there needs to be somewhere in the openEHR record to store the counter-signed digest. Or maybe more than one - it is possible that several separate notaries could be used to provide "triangulation" of their attestation functions. Tim C
