Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-36158

Correct JWS Signature rules



    • Icon: Change Request Change Request
    • Resolution: Unresolved
    • Icon: Medium Medium
    • FHIR Core (FHIR)
    • R4
    • Modeling & Methodology
    • Datatypes


      proposal: omit the last bullet from this section: JSON Signature rules 

      When the signature is an JSON Digital Signature (contentType = application/jose), the following rules apply:

      • The Signature.data is base64 encoded JWS-Signature RFC 7515: JSON Web Signature (JWS) 
      • The signature is a Detached   Signature (where the content that is signed is separate from the signature itself)
      • When FHIR Resources are signed, the signature is across the Canonical JSON form of the resource(s)
      • The Signature SHOULD use the hashing algorithm SHA256. Signature validation policy will apply to the signature and determine acceptability
      • The Signature SHALL include a "CommitmentTypeIndication" element for the Purpose(s) of Signature. The Purpose can be the action being attested to, or the role associated with the signature. The value shall come from ASTM E1762-95(2013). The Signature.type shall contain the same values as the CommitmentTypeIndication element.

      Rationale:  There is no  "CommitmentTypeIndication" element in JWS. Nor as far as I can tell a corresponding element.  you could add a private header parameter name.




            john_moehrke John Moehrke
            ehaas Eric Haas
            2 Start watching this issue