C_12094_Anlage_V1.0.0
Prereleases:
C_12094_Anlage
ML-164520 - PoPP-Token Struktur
[<=]
1 Struktur des PoPP-Token
A_26432 - PoPP-Service - PoPP-Token JWT
Der PoPP-Service MUSS PoPP-Token immer gemäß [RFC7519] als JWT ausstellen und im Compact Serialization Format kodieren. [<=]
A_26431 - PoPP-Service - PoPP-Token Claims
Der PoPP-Service MUSS im PoPP-Token die Claims gemäß [I_PoPP_Token_Generation.yaml], Schema "Token Claims" verwenden. [<=]
Tabelle 1: PoPP-Token Claims (informativ)
| Name | Wert |
|---|---|
| version | Version des PoPP-Token-Formats (Fester Wert "1") |
| iss | Aussteller des Tokens - Der Wert muss die URL des PoPP-Servers ohne Pfad und ohne trailing Slash sein. |
| iat | Zeitpunkt der PoPP-Token Erstellung |
| proofMethod | Methode, die verwendet wurde, um die Identität des Versicherten nachzuweisen. Die zulässigen Werte sind in [I_PoPP_Token_Generation.yaml] spezifiziert. Unterstützt werden diverse eGK- und GesundheitsID-basierte Nachweismethoden. |
| patientProofTime | Der Zeitpunkt, zu dem der Nachweis des Patienten durchgeführt wurde.
|
| patientId | KVNR - Versichertennummer des Patienten |
| insurerId | Institutionskennzeichen der Krankenversicherung (IK-Nummer) |
| actorId | Telematik-ID der am PoPP-Service authentifizierten Leistungserbringerinstitution (z.B. über SMC-B), die den Behandlungskontext über die oben angegebene Methode nachgewiesen hat. |
| actorProfessionOid | OID des agierenden Leistungserbringerinstitution passend zu actorId (Telematik-ID) gemäß [gemSpec_OID] |
A_26961 - PoPP-Service - PoPP-Token Claims über Leistungserbringer (LE)
Der PoPP-Service MUSS als "actorId" und "actorProfessionOid" die Werte der Institution setzen, die sich gegenüber dem PoPP-Service authentifiziert hat und den Nachweis über den Versorgungskontext mit dem Versicherten erbracht hat. [<=]
A_26962 - PoPP-Service - PoPP-Token Claims über Versicherte
Der PoPP-Service MUSS Claims über den Versicherten ausschließlich nach der vorherigen Verifikation der Versichertenidentität (GesundheitsID, eGK kontaktbehaftet, eGK mobil) in das PoPP-Token aufnehmen und dabei genau die aus der Verifikation erhaltenen Daten verwenden. [<=]
A_26433 - PoPP-Service - PoPP-Token Header und Signatur
Der PoPP-Service MUSS die JWT PoPP-Token mit dem Algorithmus ES256 mit dem im HSM gehaltenen PoPP-Token-Signaturschlüssel signieren und dabei Header-Attribute gemäß [I_PoPP_Token_Generation.yaml], Schema "TokenHeaders", setzen und mitsignieren (protected headers). [<=]
Tabelle 2: PoPP-Token Headers (informativ)
| Name | Wert |
|---|---|
| typ | Typ des Tokens (Fester Wert "vnd.telematik.popp+jwt") |
| alg | Algorithmus mit welchem der PoPP-Token signiert wurde (Fester Wert "ES256") |
| kid | Key-ID des Schlüssels, der zur Signierung des Tokens verwendet wurde. Der Schlüssel selbst kann vom JSON Web Key (JWK)-Endpunkt des PoPP-Servers abgerufen werden. |
| x5c | X.509-Zertifikatskette, die zur Signierung des Tokens verwendet wurde. Enthält als einziges Element das EE-Zertifikat des PoPP-Services. Das Zertifikat ist als DER und anschließend als Base64-kodiert (siehe [RFC7517], Abschnitt 4.7). |
Informatives Beispiel für einen PoPP-Token:
{
"typ": "vnd.telematik.popp+jwt",
"alg": "ES256",
"kid": "x_vW4LVDipvu8iUQ5alKsZLWtH6jh4eJ4c5offXtMV0",
"x5c": ["MIICqDCCAk+gAwIBAgIDAU..."]
}
.
{
"iat": 1722593256,
"iss": "https://popp.example.com",
"proofMethod": "ehc-practitioner-trustedchannel-read-x509",
"patientProofTime": 1722593255,
"patientId": "X123456789",
"insurerId": "123456789",
"actorId": "1-2012345678",
"actorProfessionOid": "1.2.276.0.76.4.50"
}
1.1 Ausschnitt aus I_PoPP_Token_Generation.yaml
openapi: 3.1.0
info:
title: PoPP Token Generation API healthcare practitioners software
version: 0.0.1
description: |
This interface provides access to PoPP Token Generation API to be used by healthcare practitioners software systems (Primärsysteme).
It defines the request, responses and other messages exchanged between the client and the server to generate a PoPP token.
components:
schemas:
# PoPP Token Headers
TokenHeaders:
type: object
title: "POPP Token Headers"
description: |
Schema for the headers of a PoPP token as contained in the JWT.
properties:
typ:
type: string
const: "vnd.telematik.popp+jwt"
description: |
The type of the token.
alg:
type: string
description: "The algorithm used to sign the token. Currently only ES256 is supported."
enum:
- ES256
kid:
type: string
description: |
The key identifier of the key used to sign the token.
Key itself can be retrieved from the JWK endpoint of the PoPP server.
x5c:
type: array
items:
type: string
description: |
The X.509 certificate chain used to sign the token.
The first element is the certificate that was used to sign the token.
Certificates are encoded in DER and base64 encoded as described in https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
required:
- typ
- alg
- kid
- x5c
examples:
- typ: "vnd.telematik.popp+jwt"
alg: "ES256"
kid: "x_vW4LVDipvu8iUQ5alKsZLWtH6jh4eJ4c5offXtMV0"
x5c: [ "MIIBI..." ]
# PoPP Token Claims
TokenClaims:
type: object
title: "POPP Token Claims"
description: |
Schema for the claims of a PoPP token as contained in the JWT.
properties:
version:
type: integer
description: |
The version of the PoPP token format.
const: 1
iss:
type: string
description: |
The issuer of the token.
The value must be the URL of the PoPP server without the path and without a trailing slash.
iat:
type: integer
description: |
The time the token was issued, interpreted as described in
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
proofMethod:
type: string
description: |
The proof method used.
**healthid**:</br>
"Gesundheits-ID via FdV (Frontend des Versicherten)" i.e., health-ID
provided by a special mobile app.
**ehc-practitioner-...**:</br>
Proof by eHC via a PoPP-client, the PoPP-client authenticates to the
PoPP-service by means of an institution ID (i.e., SMC-B).
**ehc-provider-...**:</br>
Proof by eHC via an arbitrary mobile app, the mobile app connects
directly to the PoPP-service.
**ehc-...-trustedchannel-read-x509**:</br>
This is the preferred method of proof for an eHC G2.1, contact-based
communication.
The PoPP-service establishes a trusted channel to the eHC and uses
that channel for (authentically) reading an X.509 certificate.
**ehc-...-cvc-authenticated-database-hash**:</br>
This is the only possibly method of proof for an eHC G2.1, contactless
communication.
The PoPP-service authenticates the eHC and reads the X.509 certificate.
Because reading the X.509 certificate here is non-authentic (from the
PoPP-service point of view), the PoPP-service uses a database to check
if the CV-certificate used for authenticating the eHC corresponds
to the presented X.509 certificate.
**ehc-...-user-x509**:</br>
This is the preferred method of proof for an eHC G3.x, contactless
or contact-based (no eHC PIN involved).
The PoPP-service uses a challenge-response method where the private
key corresponding to the X.509 certificate signs the challenge and
that X.509 contains the information required for PoPP-token
generation.
**ehc-...-owner-x509**: (backlog, to-be-discussed)</br>
Same as **ehc-...-user-x509** but another identity from the eHC is
used where the user is requested to present a PIN.
This way it is possible to distinguish between the owner of the eHC
(card-holder) and a user of the eHC (deputy, agent, proxy).
enum:
- healthid
- ehc-practitioner-trustedchannel-read-x509
- ehc-practitioner-cvc-authenticated-database-hash
- ehc-practitioner-user-x509
- ehc-practitioner-owner-x509
- ehc-provider-trustedchannel-read-x509
- ehc-provider-cvc-authenticated-database-hash
- ehc-provider-user-x509
- ehc-provider-owner-x509
patientProofTime:
type: integer
description: |
The time the patient proof was performed, interpreted as described in
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
* For proof methods with eHC this is the time the eHC was used.
* For proof methods with HealthID this is the time the identity
was verified using the OpenID Connect.
patientId:
type: string
description: |
The patient identifier (KVNR).
insurerId:
type: string
description: |
The insurer identifier (IKNR).
actorId:
type: string
description: |
The actor identifier (Telematik-ID).
actorProfessionOid:
type: string
description: |
Profession OID of the actor.
required:
- version
- iat
- proofMethod
- patientProofTime
- patientId
- insurerId
- actorId
- actorProfessionOid
examples:
- version: 1
iss: "https://popp.example.com"
iat: 1722593256
proofMethod: "ehc-practitioner-trustedchannel-read-x509"
patientProofTime: 1722593255
patientId: "X123456789"
insurerId: "123456789"
actorId: "1-2012345678"
actorProfessionOid: "1.2.276.0.76.4.50"