Also see FHIR DS4P Parking Lot for FHIR specific Security Labeling issues and development areas.
FHIR DS4P IG Topics
Ability for Classifier to sign the portion of meta.security related to a specific security label - i.e., delimited by the sec-label-basis extension (the policy being conveyed by this extension related meta.security elements).
While we can convey the Provenance related to a Classifier's classification/reclassification of a specific security label using the sec-label-related-artifact extension, which could include the Classifier's signature, that is NOT the same as signing this specific security label. We would like to discuss the best approach for doing this with FHIR Security and other interested parties.
Below is an example of foundation security labeling specification on the need to make security labeling non-reputable and traceable to the Classifier from ISO 22600-3 p. 55:
A.3.4.2 Signed data encapsulation
Attributes and other sensitivity information may be bound to the digest of the target using the SignedData construct of ASTM E2084. In particular, the use of detached signatures (with the object conveyed separately from the signature structure) would be appropriate. Sensitivity information would be carried as signed attributes, with the originator of the information being the signer.
Cross Paradigm Security Labeling Topics