Eric's question:
>A-Q there is no verification for unsubscribe? Is is possible for the subscriber to be
unsubscribed without their knowledge?
For web hooks, the intent verification step is inherited from Web Sub and remains in FHIRcast for both subscribe and unsubscribe. This exchange provides an additional level of security by enabling the hub to verify ownership of the subscriber's callback url as well as definitively stating the events the Hub was able to support for the subscription from the subscriber's requested list of events.
For websocket, intent verification is used only during subscription and not unsubscription. During subscription, this exchange serves as a mechanism for the Hub to assert the events supported for the newly created subscription.
We will update the specification to clarify that an intent verification exchange is not initiated during an unsubscribe for websocket. Note that this is [consistent with WebSub|
https://www.w3.org/TR/websub/#subscribing-and-unsubscribing]'s use of web hooks.
To remove this expectation, we should edit the spec to remove or modify the following phrases as well as look for opportunities to better clarify in general:
"(or unsubscribing desired ones)"
From <https://fhircast.hl7.org/specification/Feb2020Ballot/#subscribing-and-unsubscribing>
"The unsubscribe request message mirrors the subscribe request message."
From <https://fhircast.hl7.org/specification/Feb2020Ballot/#subscribing-and-unsubscribing>