Wednesday, June 22, 2016

On-Behalf-Of - FHIR Signature datatype update

The Security workgroup is looking at the FHIR datatype for Signature, specifically the use-cases where the one signing is not the one that the agreement or contract is about. For example when a parent signs for an infant child, or a guardian signs for an individual, or where an individual signs for an organization.

We look to the Uniform Commercial Code (UCC) as one use-case for the use of On-Behalf-Of, as it is a long-standing and proven case where this is needed and has been used. ....


Rob Horn (AGFA) wrote the following as his analysis of the need for On-Behalf-Of capability using the UCC as a use-case. He has authorized me to publish this on my blog. Note: my signature on-behalf-of him, because he doesn't have standing as an individual on my blog.

UCC is best thought of as a use case for the signature datatype.

The major impact of the UCC use case is the need for an “onBehalfOf” element in a signature. UCC distinguishes two kinds of signatures in one dimension. The signature can be by a party to the agreement or it can by a person on behalf of a party to the agreement. One extremely common situation is that the jurisdiction laws prohibit signatures by an organization. Those jurisdictions require that the signature be made by a person on behalf of the organization. At the level of “what is a signature and how do signatures work” the UCC does not specify when there are such restrictions. It specifies that there are two kinds of signatures.

When a signature is “onBehalfOf” there is very strong recommendation that both the person/device/organization signing, and the person/device/organization that it is on behalf of are identified.

Adding an optional element “onBehalfOf” that contains a Uri or a Reference takes care of that. The existence of this element identifies the signature as on behalf of rather than by a party to the agreement.

DISTRACTIONS THAT NEED TO BE MENTIONED.

“invalid signature” are still signatures. There is a dangerous legal swamp around invalid signatures that need a lawyer as a guide. It’s best to just leave discussions around validity to the lawyers and not try to capture it in the signature.

“delegation” is used in digital signatures. The legal alternatives for delegation are far more extensive and different than the delegation structure used in digital signatures. It would be a mistake to try to impose the digital signature rules regarding delegation onto the “on behalf of” signatures. Don’t confuse the digital signature delegation with other kinds of authorization for signing.

“authorized/unauthorized signature” are both signatures. Like “invalid signatures” this is a dangerous legal swamp. This is another area that is best kept out of the datatype. These are just signatures.

PURPOSE OF SIGNATURE

UCC handles purpose of use differently than we did in the digital signature world.

According to UCC, a signature has one (and only one) purpose:
The signer agrees to or accepts a “writing”.
The term “writing” deals with instantiation and is how they deal with verbal and implicit agreements. Those cannot be signed. A “writing” is something that can be signed.

“Writings” also exist in relationships. Thus when I check into a hotel I sign a number of “writings”:
  • The registration, which specifies general terms for room rental, agreeing to those terms
  • The departure date, agreeing that is the correct date
  • The room rate, agreeing that is the rate
  • The no-smoking policy, agreeing to comply with that policy
  • The parking policy, agreeing with that policy.

These are often all on the same piece of paper, with the different “writings” identified by the layout on the paper together with the layout for where I sign.

For all these signatures the purpose of signature is “agree to writing”.

Most of the ASTM purpose of signature are snippets that are almost statements that could be agreed to, much like the little writings when you check in to a hotel. Some examples:
  • “author signature” - agrees with “I am the author, as defined by ASTM”
  • “signature witness” - agrees with “I witnessed signature X”
  • “Interpreter signature” - agrees with “I performed the interpretation of the writing”

UCC didn’t find sufficient commonality among all the many kinds of writings that require signed agreement. There is no standard purpose of signature concept. They move all of the purpose into the writings themselves.