Security and Privacy

[amichalas]

I was looking at the openEHR specs and I couldn't find any implementation or proper specs related to the generation of cryptographic keys and the encryption of data. Is there any work on that?

[ppazos]

IMO that is out of scope for the openEHR specs. Also you won't find a spec on how to store data. These things are implementation specific.

[amichalas]

Thanks for the prompt response. So, if I understand it right, there is no room for proposing the use of encryption for certain fields?

[serefarikan]

Please note that proposing the use of encryption is a use case for encryption whereas generation of keys is about implementation of the use case. If you think the use case can be described in a manner independent of its implementation, then sure, there is all the room for you to make a case and spec group would gladly discuss it. as Pablo says, the spec intentionally leaves actual implementation details out of scope, such as how to do data persistence, how to implement user interfaces, which technology to use etc.

[serefarikan]

Which would also require you to open a new issue with a more descriptive title and close this one ;)

[ppazos]

@amichalas I think there is room to propose anything. But any proposal should make sense in the scope of the spec, some proposals might just be components to put on top of openEHR and other standards, also maybe related to technologies more than the openEHR methodology, etc. As Seref says, if you have a clear use case where a proposal could be applied, considering the scope of the specs, any proposal is welcome. You need first to know what openEHR is about, then specify your use cases, analyze where openEHR is not enough, and then do a proposal providing all that. We are happy to discuss to help you on that process.

[amichalas]

Thanks a lot! I will come back when I do my homework and have something more concrete to propose..

[wolandscat]

You may want to post new ideas or critique in the first instance on the technical mailing list and if a clear change request can be stated, post it as a Problem Report on the PR Jira tracker. We don't tend to use the Github issue trackers on the specifications projects.