Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-25881

Make HMAC optional and refer to the WebSub spec

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Highest Highest
    • FHIRCast (FHIR)
    • 0.1 [deprecated]
    • Imaging Integration
    • (NA)
    • Subscribing and Unsubscribing
    • Hide

      Question from Jenni: Why require HMAC instead of having that as optional? Also should reference the WebSub spec for guidance around how to do HMAC validation/signatures

       

      Persuasive with modification:
      It is not really a matter of HMAC or something else, but rather whether the hub.secret is required or not. In WebSub hub.secret is optional and this should be the case for FHIRCast as well. The WebSub spec is already referenced in the FHIRCast spec for HMAC digests.

       

      Current wording:

      hub.secret Conditional string Required when hub.channel.type=webhook. SHALL not be present when hub.channel.type=websocket. A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length.

      Proposed wording:

      hub.secret Conditional string Optional when hub.channel.type=webhook. SHALL not be present when hub.channel.type=websocket. A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length.

       

      Show
      Question from Jenni : Why require HMAC instead of having that as optional? Also should reference the WebSub spec for guidance around how to do HMAC validation/signatures   Persuasive with modification : It is not really a matter of HMAC or something else, but rather whether the hub.secret is required or not. In WebSub hub.secret is optional and this should be the case for FHIRCast as well. The WebSub spec is already referenced in the FHIRCast spec for HMAC digests.   Current wording : hub.secret Conditional string Required when hub.channel.type = webhook . SHALL not be present when hub.channel.type = websocket . A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length. Proposed wording : hub.secret Conditional string Optional when hub.channel.type = webhook . SHALL not be present when hub.channel.type = websocket . A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length.  
    • Isaac Vetter / Eric Martin : 5-0-0
    • Clarification
    • Non-substantive

    Description

      Why require HMAC instead of having that as optional? Also should reference the WebSub spec for guidance around how to do HMAC validation/signatures.

      Attachments

        Activity

          People

            niklas_svenzen Niklas Svenzen (Inactive)
            jenni_syed Jenni Syed (Inactive)
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: