And this is why a simple protocol for data exchange that takes no account of content is needed, rather than the current messaging which demands that you write complex transformations for each message type (e.g. GP2GP), and that the receiving end also understands how to process it.
interesting idea. A no frills system.
What about security though, the fax trusts the phone network, an email equivalent trusts NHS.net
Can we trust N3 in a similar manner? What’s the minimum security for this - https. That should prove the endpoint identity - how do you prove the senders id (would you encrypt the jwt using your own nhs cert??)
Put another way … If I was sending a ‘fax’ document to this endpoint (this works)
You know the receiver is legitimate and the payload is encrypted. How do I prove I sent this from https://west.riding.nhs.uk (so no user id, just organisation to organisation). It’s not my area of expertise but I assume I encrypt the secret part of the JWT using the certificate for https://west.riding.nhs.uk (which I believe proves the payload hasn’t been tampered with)
Signatures : you hash the document and perform a cryptographic operation on the hash that you can only do with a private key you hold.
You don’t have to stop at one, of course. If you hold a smart card it ought to be able to do this. Then you can apply them to attest to your message source.
There is an NHS-wide service that meets your criteria already.
Secure, trusted sender/receiver identity, content-agnostic. And it’s already IG certified for clinical data.
I’m writing a blog on this … and it’s built on your(/our) design
but I’ll raise your NHSMail to MESH.