Wednesday, October 22, 2014

CDA Digital Signatures inside

HL7 has been working on an Implementation guide that explains how one would use a Digital Signature inside of a CDA document. This is an implementation of XML-Signature in Enveloped form. 
This has completed a round of ballot and now enters 24 months of DSTU. 
  • Signature, Enveloped -- The signature is over the XML content that contains the signature as an element. The content provides the root XML document element. Obviously, enveloped signatures must take care not to include their own value in the calculation of the SignatureValue.
Note, I can't find the current DSTU version of the text... When I find it I will provide a link.
The HL7 CDA Digital Signature Implementation Guide shows a model where the Digital Signature is treated as a blob that is then inserted into the CDA document. This means that it is restricted to only signing CDA documents. The advantage that this CDA internalized digital signature is that it is carried inside the CDA document throughout any transport that conveys the CDA document.

DSTU Publication Approvals  
HL7 Implementation Guide for CDA® Release 2: Digital Signatures and Delegation of Rights, Release 1 for Structured Documents WG of SSD SD at Project Insight 1005 and TSC Tracker 3639 requested DSTU publication for 24 months. The Digital Signature and Delegation of Rights Implementation Guides provide a standardized method of applying Digital Signatures to CDA documents.  The standard provides for multiple signers, signer’s declaration of their role, declaration of purpose of the signature, long-term validation of the Digital Signatures and data validation of the signed content.
This Digital Signature is not a conflict with the IHE-DSG profile, but rather a different model. IHE-DSG profile is a standalone Digital-Signature that references a standalone document of any type. So the IHE-DSG profile can sign a CDA document, but can just as well sign a PDF or any other format of document. The limitation that the IHE-DSG profile has is that it can only sign by reference. This model has been extensively discussed in IHE and on my blog. See IHE-DSG profile,

IHE Does have a proposal that I am working on to add XML-Signature Enveloping.
In this case there would be one document that is an XML-Signature document, with the signed content inside of the document. In this way the content is carried inside the signature. The opposite of the CDA Enveloped DSTU. This method can Envelope ANY type of document, it is not restricted to CDA documents. It is also, like the CDA Enveloped DSTU, completely independent of Transport.
  • Signature, Enveloping - The signature is over content found within an Object element of the signature itself. The Object (or its content) is identified via a Reference (via a URI fragment identifier or transform).
Signature - Digital, Electronic