On Mon, 2003-09-22 at 07:56, David Forslund wrote: > At 07:42 AM 9/22/2003 +1000, Tim Churches wrote: > >On Mon, 2003-09-22 at 07:25, David W. Forslund wrote: > > > Well we do some conversion of the data in the process to the COAS > > model, but OpenEMed handles secure > > > communication on arbitrary HL7 data. The security has nothing to do > > > with HL7 but handles the movement of that an othere data in a fully > > > secure manner. > > > >Using CORBA? The problem is that only a very small number of facilities > >have CORBA-compliant systems. > > If you do your own security you will find no compliant systems. If you > want to know > who you is sending and receiving the data, you need to have your own > security using > standards X509 certificates and SSL.
Sure.
> CORBA supports this transparently > independent > of the data being sent and requested, plus enables you to make sure that > whoever > is asking can see the particular kind of data. The software to do this > free.
Can you point us at some details?
Well sure, but you need to do some digging. All of this is implemented in OpenEMed using the open source ORB OpenORB (on sourceforge.net), which provides full support for it. By simply changing the environment, we can switch to using SSL and full security and encryption without changing our code. If the application needs to know who the person is making the request and the person doing the responding to see if they have the right permissions, then the RAD has to be turned on which enables the full checking of credentials. This is all implemented and works in CORBA, and is all open source.
> If you Jabber protocol and GnuPG encryption, you will find no compliant
> systems.
>
> This functionality is fully available with a lot more capability already in
> free software
> and cross language and platform.
Keen to explore examples of this.
> Why do we keep having to invent this > stuff? It > is a waste of software engineering effort.
The problem is that there are too many ways of implementing secure message transport. I am looking for examples of communities of healthcare providers (up tot he national level) which have settled on a particular set of methods for secure delivery, whether it be CORBA, Jabber, HTTPS and X509 certificates, or carrier pigeons.
Sure, but the issue isn't only security it is what you are using for your underlying
communications infrastructure. The biggest problem I find is the variation
in security policies which prevents security interoperatiblity independent
of whether CORBA is being used or not. Security interoperability is the
big challenge. Adding some new protocol to handle it doesn't help. Using
standards does. It is these standards that we encourage. For example,
there is something called CSIv2 which is a standard, and if implemented, enables
folks to talk together securely including quoting of credentials. It seems that
interoperability is so far down on people's list of things that are important that
it isn't recognized.
Dave
--
Tim C
PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0
