> >But this goes against the idea of a digital notary. A
> >notary service' goal is to certify a certain status quo
> >at a given point in time. It is not the right tool for
> >preventing tampering with the in-use data at the
> >application level.
>
> Digital notary makes sense for read-only information that
> cannot be sufficiently protected by the holder/manager of
> the data.
Again, the minimalist in me tends to think that, no,
the digital notary does not protect _any_ data,
even less that which the holder cannot protect
<GPAM>her|him</GPAM>self. It solely and exclusively
answers the question: Did this piece of data _exist_
in _this_ form at _this_ date and time.
> One of the unresolved issues is how to keep the digital
> signature secure. Should the "trusted" digital notary
> or the "untrusted" medical information system keep the
> signature? and related to this,
Well, of course, _you_ keep it. Anything else would
overly complicate the operation of the digital notary
(although Horst's scenario of disseminating signed
chunks _has_ its appeal).
> What is the protection
> against the destruction of the signature?
Your very own self-interest ! Of course, the
notary service doesn't have the task to protect
me against my own foolishness, namely my lack
of backups.
I see it like this:
- As a user I have no power whatsoever over
the notary's decisions.
- The notary is responsible for
a) keeping his private key secure
b) being available long-term
c) nothing else
- I send a hash to the notary.
- The notary signs it, sends it back to me
and forgets about it.
- I keep the signed hash (forever safely stored away).
- Years pass.
- A patient claims that back then I made a wrong
decision although I had evidence telling me
the opposite and that I tampered my EMR
to remove that evidence.
- I go get my backup. I regenerate the hash.
I go to court. I show that the new hash is the
same as the one that back then was countersigned
by the notary.
- The judge calls the notary. The notary says:
"Yep, that's my key. And yep, I hasn't been
compromised since."
- Et voilá, lest I am extremely ingenious the
EMR is the one that I had back then.
Now, depending on the constellation of the point
in time that the patient claims I tampered with
the record, the point of inclusion of said
supposed evidence into the EMR and the point
of the earliest countersigning after inclusion of the
said supposed evidence the notary's assertion
translates into either of:
- Nope, there never was that evidence. Get lost,
claimant.
- It is extremely unlikely that the EMR was
tampered with although theoretically possible.
- Well, it was possible but given the concern
for security on the doctor's side we consider
it unlikely.
Of course, if I only have my database counter-
signed every half year and I don't have my
change commit log (the audit trail) countersigned
every hour or so then the notary's assertion
would have the simple meaning:
- Thanks for your business, Doc. However,
there's nothing our signature can do for you.
But then, why use a digital notary after all ?
> Even if we believe that the signature cannot be compromised without collusion
> between the digital notary and the original signer, whoever keeps the signature can
>unilaterally destroy it.
So, if the notary keeps the signature I am at his mercy.
Or, if I keep the signature I better make darn sure
that I don't lose it. And better darn hope that
the notary will still be there when I need its
nod 10 years from now (open source helps in this,
of course).
Karsten
--
GPG key ID E4071346 @ certserver.pgp.org
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
