5H/ Certified Self-Sovereign Signature (An e-prescribing example)

From IIW
Jump to: navigation, search

Certified Self-Sovereign Signature


Wednesday 5H

Convener: Adrian Gropper

Notes-taker(s): David Huseby


Tags for the session - technology discussed/ideas considered:

Self-soveriegnty


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


  • The target application is e-prescribing controlled substances by doctors for patients.
  • Patients and doctors are reluctant to use an institutional system for tracking prescriptions because of privacy issues.
  • The regulatory framework is enforced by the DEA and is well understood.
  • All prescriptions have DEA mandated items:
  • MD-DEA #
    • System audit
  • The software solution is comprised of two main pieces: one part for the MD, one for the patient.
    • The MD has a DID for logging into the electronic health records (EHR) system.
    • The MD uses their DID for signing prescriptions.
  • The DEA requirements for e-prescribing:
    • Requires 2-factor auth and one factor is a MD-FBCA issued certificate used for signing.
    • Access to the e-prescribe software has to be signed off on by at least one other person who has a MD-DEA #.
  • Can we build a system that meets these requirements using any of the verifiable claims and distributed identity solutions.


Solution 1

  1. Provisioning
    1. Generate an ECC master keypair for the MD.
    2. Submit the ECC master public key, DID, and MD-DEA # to the FBCA to issue a certificate.
    3. Store the certificate in the DDO.
  2. Prescribing
    1. For each prescription, generate a nonce use to generate signing keypair from the master keypair.
    2. Sign the prescription including the nonce and the DID.
  3. Verify
    1. Use the DID to look up the DDO to get the certificate containing the master public key and the MD-DEA#.
    2. Use the MD-DEA# to check the DEA API for revocation status.
    3. Verify the prescription signature.
    4. Verify the public key is derived from the master public key.