Version.signature has very specific implementation assuming particular technology solution to creating a signature. More recent approaches may use SHA1 and XML Digital Signature payload documents. These should be supported along with other cryptography libraries other than openPGP including Microsoft.NET and other open source libraries.
To support these variations, the should be an additional attribute in the Version class to indicate what signature algorithm is used (similar to the DvMultimedia integrity check algorithm attribute) rather than relying on the self describing PGP byte stream.
There should be additional implementation guideance to support interoperable signatures using different cryptography libraries.
Should we focus on signing XML or signing objects in the DB? Or both? IMO is difficult to have just one approach to be used in all contexts / technologies, but maybe I'm wrong.
Have to agree on canonical serial format for basis of signing as well as preferred libs and field format.
Questions - polymorphic attachment of objects and representing type info; id fields etc.
Via SEC teleconference 29 Oct we discussed creating a proper canonical openEHR data format in release 1.1 usable for signatures etc.
When converting this PR to CR(s) we might need to address two related things:
#1. allowing different signature algorithms and suggesting a modern algorithm (some strong SHA-version?) as default (mandatory to be supported as fallback)
#2. creating a canonical format, Perhaps some compact JSON frormat (without indentation or extra spaces etc) also consider the ordering of JSON siblings (alphabetical?). Publish pseudo code and possibly point to open source implementations
I did something like #2 for creating SHA-hashes used to identify (and create IDs for) parametric AQL-queries in LiU EEE, perhaps that work is useful as input to pseudo code etc.
Agree, I think we should publish pseudo-code as well.
I know JSON Web Token is used to sign requests, but I don't see why this can't be used for other purposes: http://jwt.io/
Please let me know what you think about that.
Also find this signing guide for Java: https://docs.oracle.com/javase/tutorial/security/apisign/gensig.html
Maybe there are similar guides / ways for other technology stacks.