Vincenzo Della Mea wrote: >> However, we also have to be mindful of how it can be implemented in >> all major OSs and languages. Gnu GPG is one approach, but I don't >> have any direct experience of it. > > As far as I understood, the current Italian law on digital documents > puts PGP/GPG on the weak side of digital signatures, following > european directives. You have strong signatures when you have a > certification infrastructure, where certification authorities fulfill > some legal constraints. PGP/GPG is more on a social certification method. I think this is true if PGP is specified as the certification infrastructure. We are not trying to do that here - just use the openPGP message specification to define the format of signature strings etc in openEHR data. I don't think openEHR should be specifying anything in terms of certificates, PKI, certainly not at this stage of the game. > It is not matter of technicaal security, which is the same. Weak > signature can be of legal value, but depends on the judge if used > against someone. Strong signature has legal value. All this, more or > less: it is difficult to understand laws language. > This ends up in the need of using other methods for legally valid EHR, > and I do not think is wise to be tied to a specific system (better to > choose just a format for signature, if there is the need for that). but if we say that openEHR data can only be signed if the user has a public key certificate, then we immediately limit the use of signing (and hashing) to environments where certificate servers and processes etc exist.
Let me pose the question another way: * what standard or other open specification can openEHR point to that accurately specifies the format of digital digests and signatures of EHR data? It has to be something avalable to everyone, and implementable (preferably already implemented)? - thomas beale
