Skip to main content

Addendum did:web-backport eOverdracht

Introduction

This articles specifies a v6-backport for the Nuts application specification "eOverdracht" as published on https://nuts-foundation.gitbook.io/bolts/eoverdracht/leveranciersspecificatie. In short, it describes the changes that are necessary to make eOverdracht work using did:web, and this not relying on the use of did:nuts and/or NutsAuthorizationCredentials.

4.1.1

The current Task describes that the Task is used to track the progress of the hand-off. This is correct but the Task will also be used as authorization mechanism. Add text: Besided the Task being used to track progress, it will be used to specify which organization (actor) has acccess to handoff data of which patient.

4.1.2

does this need changes? do we need separate eoverdracht-services for did:web-implementations?

4.1.3

can be changed to R5 notification backport and server-managed-subscriptions. But it is not necessary to change this to become did:web-compatible. proposal: keep unchanged.

5.3 retrieve hand off message

Sequence diagram

Current sequence diagram should be replaced by. insert new plantuml here.

5.3.1 Register authorization

The current text describes the registration and distribution of a NutsAuthorizationCredential. This text should be deleted.

5.3.2 Notification

Loopup notification endpoint

Is a change necessary?

5.3.3

no changes?

5.3.4 Authentication

Person authentication

The current text describes user authentication based on IRMA. This text should be replaced by user authentication based on NutsEmployeeCredential

5.3.5 retrieve hand off message

do we need a separate endpoint for did:web fhir-requests?

request access token

NutsAuthorizationCredential is not supported Replace by ... VP with URA of actor organization is mandatory VP with attributes of end user is mandatory

apply authorization by custodian/ data holder

Do not use NutsAuthorizationCredential but check

  1. is there a valid Task
  2. is the Task.state "active"/"x"/"y"
  3. is the URA in the VP present in the Task.owner-element? refer to Rego-code (section 6.2)

5.3.6

Delete use of NutsAuthzCredentials

6 access policy

Describe two new policies that should be used in did:web-implementations:

eOverdracht-receiver-did-web policy

Like 6.1 but ...

eOverdracht-sender-did-web policy

non-PID resources

Like 6.2.1 but....

PID resources

Like 6.2.2 but ...

6.3

Delete use of AuthzCredentials.

where to put?

Organization authentication

x509 must be used to authenticate healthcare organizations based on URA number/ UZI server certificates.

Back to top