We have been using Gnu GPG to sign and encrypt clinical reports (HTML and PDF files) before storing them on a central repository. The reports integrity is checked each time someone asks to see a report. Our hospital repository has more than 1.500.000 reports.
Hope this information helps. ----------------------------- Ricardo Correia Fac. Medicina - Univ. Porto Portugal -----Mensagem original----- De: owner-openehr-technical at openehr.org [mailto:owner-openehr-technical at openehr.org] Em nome de Thomas Beale Enviada: quarta-feira, 28 de Junho de 2006 15:09 Para: Openehr-Technical Assunto: potential use of openPGP in openEHR An initial suggestion (currently in the Release 1.0.1 candidate drafts) is that openPGP should be used in openEHR for generating digests and signatures. openPGP is defined at http://www.ietf.org/rfc/rfc2440.txt and a lot of other information can be found at http://www.pgpi.org/ , http://www.gnupg.org/ . My proposal is that the openPGP message specification makes sense for defining signature and hash values in openEHR because openPGP fully defines the result string ("message"), and allows for a wide choice of algorithms. It is also nice in that the result can be a single string, and is self-describing - i.e. decoding software can just read the string to find out what algorithms were used, and apply them. ASCII armoring and radix-64 encoding mean that "safe" strings can be generated. However, we also have to be mindful of how it can be implemented in all major OSs and languages. Gnu GPG is one approach, but I don't have any direct experience of it. Currently, hashing and signing are completely optional in openEHR (probably they will always be). But I believe we need to support them clearly in the openEHR architecture for those users that do want them. I also believe that we need to specify an open standard for hashing and signing and related security things. Lastly, the use of such security algorithms interacts with the notion of key certication and a PKI. My understanding is that openPGP does not force users into any particular model of key management (even if the PGP distributed model might be easiest to itegrate). Do others have experience with openPGP within a PKI? - thomas beale -- ____________________________________________________________________________ _______ CTO Ocean Informatics (http://www.OceanInformatics.biz) Research Fellow, University College London (http://www.chime.ucl.ac.uk) Chair Architectural Review Board, openEHR (http://www.openEHR.org)
