Make HMAC optional and refer to the WebSub spec

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Persuasive with Modification
    • Priority: Highest
    • FHIRCast (FHIR)
    • 0.1 [deprecated]
    • Imaging Integration
    • (NA)
    • Subscribing and Unsubscribing
    • Hide

      Question from Jenni: Why require HMAC instead of having that as optional? Also should reference the WebSub spec for guidance around how to do HMAC validation/signatures

       

      Persuasive with modification:
      It is not really a matter of HMAC or something else, but rather whether the hub.secret is required or not. In WebSub hub.secret is optional and this should be the case for FHIRCast as well. The WebSub spec is already referenced in the FHIRCast spec for HMAC digests.

       

      Current wording:

      hub.secret Conditional string Required when hub.channel.type=webhook. SHALL not be present when hub.channel.type=websocket. A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length.

      Proposed wording:

      hub.secret Conditional string Optional when hub.channel.type=webhook. SHALL not be present when hub.channel.type=websocket. A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length.

       

      Show
      Question from Jenni : Why require HMAC instead of having that as optional? Also should reference the WebSub spec for guidance around how to do HMAC validation/signatures   Persuasive with modification : It is not really a matter of HMAC or something else, but rather whether the hub.secret is required or not. In WebSub hub.secret is optional and this should be the case for FHIRCast as well. The WebSub spec is already referenced in the FHIRCast spec for HMAC digests.   Current wording : hub.secret Conditional string Required when hub.channel.type = webhook . SHALL not be present when hub.channel.type = websocket . A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length. Proposed wording : hub.secret Conditional string Optional when hub.channel.type = webhook . SHALL not be present when hub.channel.type = websocket . A subscriber-provided cryptographically random unique secret string that SHALL be used to compute an HMAC digest delivered in each notification. This parameter SHALL be less than 200 bytes in length.  
    • Isaac Vetter / Eric Martin : 5-0-0
    • Clarification
    • Non-substantive

      Why require HMAC instead of having that as optional? Also should reference the WebSub spec for guidance around how to do HMAC validation/signatures.

            Assignee:
            Niklas Svenzen
            Reporter:
            Jenni Syed
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: