tag:blogger.com,1999:blog-733074358901582680.post2586582330000700179..comments2024-03-23T05:28:35.472-04:00Comments on Healthcare Standards: The Journey of 4000 Miles could have been 20Keith W. Boonehttp://www.blogger.com/profile/16883038460949909300noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-733074358901582680.post-72271165263832208142013-06-02T05:43:16.948-04:002013-06-02T05:43:16.948-04:00Balliro Commerce Group offers premier design and d...Balliro Commerce Group offers premier design and development services.<a href="http://www.ballirocommercegroup.com/" rel="nofollow">Boston App Developer</a><br />Anonymoushttps://www.blogger.com/profile/01422031149111825979noreply@blogger.comtag:blogger.com,1999:blog-733074358901582680.post-54120005589319655112013-03-26T14:18:09.934-04:002013-03-26T14:18:09.934-04:00My goal in working with ABBI is to ensure a vibran...My goal in working with ABBI is to ensure a vibrant ecosystem of patient-facing health apps. This is cross-cutting (and it's not always easy to separate the technology from the policy). Some thoughts here:<br /><a href="http://smartplatforms.org/2013/03/bluebutton-tech-and-policy/" rel="nofollow">http://smartplatforms.org/2013/03/bluebutton-tech-and-policy/</a>Anonymoushttps://www.blogger.com/profile/14140643254419933279noreply@blogger.comtag:blogger.com,1999:blog-733074358901582680.post-79004276733846578562013-03-25T11:12:44.816-04:002013-03-25T11:12:44.816-04:00Thomas,
Less either/or, more and/both. The disti...Thomas,<br /><br />Less either/or, more and/both. The distinction between an organization and a person becomes blurred because unless incorporated, a person is treated like an organization. The reality is that organizations AND individuals are developers, and that within an organization, an individual has to fulfill the necessary requirements.<br /><br /> Keith Keith W. Boonehttps://www.blogger.com/profile/16883038460949909300noreply@blogger.comtag:blogger.com,1999:blog-733074358901582680.post-66380973172048223542013-03-25T10:59:15.440-04:002013-03-25T10:59:15.440-04:00Your second paragraph discusses what is a policy i...Your second paragraph discusses what is a policy issue, rather than a technology issue. Addressing who creates/manages the trust bundle, how membership in it is established, and what it means with respect to degree of trust is really outside of the scope for S&I.Keith W. Boonehttps://www.blogger.com/profile/16883038460949909300noreply@blogger.comtag:blogger.com,1999:blog-733074358901582680.post-16331302643219762322013-03-24T20:21:54.796-04:002013-03-24T20:21:54.796-04:00If I understand correctly, your proposal replaces ...If I understand correctly, your proposal replaces "dynamic registration" with a centrally distributed "augmented" trust bundle (augmented to include not just app names + their certificates, but all the metadata that you'd normally need for OAuth client registration, including redirect URIs, names, ToS, contact addresses, etc.) Part of this trust bundle's job would also be to assign a single (consistent across all data holders) client_id for each app?<br /><br />I think bootstrapping registrations with a centralized bundle is great, as long as it's not a barrier to informed/intrepid patients getting access to whatever apps they want. (The implication here is that apps need a totally low-friction way to gain "low-trust" bundle membership, which may come along with patient-facing warning language at authorization time; and then a more robust vetting processes could enable membership in a "high-trust" bundle...)<br /><br />Re: JWT assertions, I'd still very much like to see a specification where public clients (including static web apps and mobile apps) don't need to jump through hoops to prove possession of a secret they can't properly keep. Specifically, I don't think the following is possible for static apps (with no persistent server-side component):<br />"Application instances obtain... a certificate signed by the application developer."<br /><br />For confidential clients, I think JWT-based authentication is a great option, but client library support really is weak.Anonymoushttps://www.blogger.com/profile/14140643254419933279noreply@blogger.comtag:blogger.com,1999:blog-733074358901582680.post-90726277394384969382013-03-22T10:46:33.402-04:002013-03-22T10:46:33.402-04:00Keith
Forgive me if I've missed the answer so...Keith<br /><br />Forgive me if I've missed the answer somewhere in your post, but would a working definition of "developer" (as you're using it here) include individual (human) application developers, software vendors (organizations) that develop HCIT applications, or both?<br /><br />TJL<br /> Thomas Lukasikhttps://twitter.com/Sparkensteinnoreply@blogger.com