Re: [Gnumed-devel] Time for a major re-think in 2005 - opinions

[Karsten Hilbert]

> > does sound simpler, and one could only  subvert the audit between
> > dumps.
> You're proposing on-the-spot signing of committed data?
I think Syan was investigating into the current state of
thought regarding this. I don't think he proposes on-the-spot
signing just yet.

> But if an
> attacker has access to alter the database at will, its easy to capture
> the signing key and fake signatures, unless you sign on the client
> (which, in reality) is less secure than the server)
That sounds correct.

> Signed dumps is so you can prove to someone else (the courts) that you
> haven't modified your own backups.
precisely, taken daily they show due course and proper care

> > If an identity's record was exported to another system, what would be the
> > protocol for supplying a verified audit with the record?
that wouldn't be particularly easy, basically it would only be
feasible to do when ordered by some court to do so and would
involve matching the EMR-formatted data to the latest data in
the signed db dump, then tracking back through the dumps
showing that they haven't undergone undue manipulation

Karsten
-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346