Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-25653

no verification for unsubscribe?

    XMLWordPrintableJSON

    Details

    • Type: Change Request
    • Status: Applied (View Workflow)
    • Priority: Medium
    • Resolution: Persuasive with Modification
    • Specification:
      FHIRCast (FHIR)
    • Raised in Version:
      0.1
    • Work Group:
      Imaging Integration
    • Related Page(s):
      (NA)
    • Related Section(s):
      Subscribing and Unsubscribing
    • Grouping:
    • Scheduling:
    • Resolution Description:
      Hide

      Eric's question:

      >A-Q there is no verification for unsubscribe? Is is possible for the subscriber to be
      unsubscribed without their knowledge?

       

      For web hooks, the intent verification step is inherited from Web Sub and remains in FHIRcast for both subscribe and unsubscribe. This exchange provides an additional level of security by enabling the hub to verify ownership of the subscriber's callback url as well as definitively stating the events the Hub was able to support for the subscription from the subscriber's requested list of events. 

      For websocket, intent verification is used only during subscription and not unsubscription. During subscription, this exchange serves as a mechanism for the Hub to assert the events supported for the newly created subscription.

      We will update the specification to clarify that an intent verification exchange is not initiated during an unsubscribe for websocket. Note that this is [consistent with WebSub|

      https://www.w3.org/TR/websub/#subscribing-and-unsubscribing]'s use of web hooks.

      To remove this expectation, we should edit the spec to remove or modify the following phrases as well as look for opportunities to better clarify in general:

      "(or unsubscribing desired ones)"

      From <https://fhircast.hl7.org/specification/Feb2020Ballot/#subscribing-and-unsubscribing>

      "The unsubscribe request message mirrors the subscribe request message."

      From <https://fhircast.hl7.org/specification/Feb2020Ballot/#subscribing-and-unsubscribing>

       

      Show
      Eric's question: >A-Q there is no verification for unsubscribe? Is is possible for the subscriber to be unsubscribed without their knowledge?   For web hooks, the intent verification step is inherited from Web Sub and remains in FHIRcast for both subscribe and unsubscribe. This exchange provides an additional level of security by enabling the hub to verify ownership of the subscriber's callback url as well as definitively stating the events the Hub was able to support for the subscription from the subscriber's requested list of events.  For websocket, intent verification is used only during subscription and not unsubscription. During subscription, this exchange serves as a mechanism for the Hub to assert the events supported for the newly created subscription. We will update the specification to clarify that an intent verification exchange is not initiated during an unsubscribe for websocket . Note that this is [consistent with WebSub| https://www.w3.org/TR/websub/#subscribing-and-unsubscribing ]'s use of web hooks. To remove this expectation, we should edit the spec to remove or modify the following phrases as well as look for opportunities to better clarify in general: "(or unsubscribing desired ones)" From < https://fhircast.hl7.org/specification/Feb2020Ballot/#subscribing-and-unsubscribing> "The unsubscribe request message mirrors the subscribe request message." From < https://fhircast.hl7.org/specification/Feb2020Ballot/#subscribing-and-unsubscribing >  
    • Resolution Vote:
      Isaac Vetter / Eric Martin : 5-0-0
    • Change Category:
      Clarification
    • Change Impact:
      Non-substantive

      Description

      A-Q there is no verification for unsubscribe? Is is possible for the subscriber to be
      unsubscribed without their knowledge?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              niklas_svenzen Niklas Svenzen
              Reporter:
              ehaas Eric Haas
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Vote Date: