Verifiable Health Link, published by IHE IT Infrastructure Technical Committee. This guide is not an authorized publication; it is the continuous build for version 0.0.2-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IHE/ITI.VHL/ and changes regularly. See the Directory of published versions

2:3.YY1 Publish PKI Material

2:3.YY1 Publish PKI Material

2:3.YY1.1 Scope

The Publish PKI Material transaction enables entities within a trust network—specifically, VHL Sharers and VHL Receivers—to submit their public key material to a designated Trust Anchor. This process facilitates the Trust Anchor’s role in aggregating, validating, and distributing a trusted list of public keys (Trust List) essential for verifying digital signatures and establishing secure communications within the VHL ecosystem.

2:3.YY1.2 Actor Roles

Actor	Role
VHL Receiver	Submit PKI Material
VHL Sharer	Submit PKI Material
Trust Anchor	Distribute PKI Material

2:3.YY1.3 Referenced Standards

2:3.YY1.4 Messages

2:3.YY1.4.1 Publish PKI Material Request Message

2:3.YY1.4.1.1 Trigger Events

When a VHL Sharer or VHL Receiver generates a new public-private key pair for use within the VHL trust network, they SHALL submit the corresponding public key material to the Trust Anchor for validation and inclusion in the trust list.

The submission MAY include metadata to support categorization of key usage (e.g., digital signatures, encryption, mTLS) and business or operational context.

2:3.YY1.4.1.2 Message Semantics

The message semantics and transport mechanism for the submission of public key material to the Trust Anchor SHALL be defined by the implementing jurisdiction of the trust network. The Trust Anchor is responsible for validating, cataloging, and securely redistributing key material as part of the canonical Trust List.

Different submission pathways MAY be defined based on the sensitivity, intended use, or organizational classification of the key material. For example:

• Indirect publication: Key material is published at a URL under the control of the submitting organization and its location is communicated to the Trust Anchor via:
  • Publication on a well-known, jurisdictionally recognized website
  • Secure transmission of the URL through official channels (e.g., signed correspondence, notarized documentation)
• Direct submission: Key material is submitted directly to the Trust Anchor over a secure, mutually authenticated connection:
  • Use of an API endpoint exposed by the Trust Anchor requiring mTLS or other credentialed authentication
  • Use of a secure upload portal with logging and role-based access controls
• Offline submission: In scenarios requiring maximal assurance of origin and identity:
  • Submission of key material on a secure physical medium (e.g., USB token, smart card) during a verified in-person encounter, with formal identity attestation

All submission mechanisms SHOULD be accompanied by sufficient provenance metadata to support validation by the Trust Anchor. At minimum, this SHOULD include:

• The asserted identity of the submitting entity
• The intended usage scope of the key(s) (e.g., signature, encryption, mTLS)
• An expiry date or revocation mechanism, if applicable
• A digital signature or certification path establishing the authenticity of the submission

Jurisdictions MAY further constrain the permitted submission methods based on policy, threat models, or operational constraints. The Trust Anchor SHOULD reject submissions that do not meet the validation criteria defined within the trust framework.

2:3.YY1.4.1.3 Expected Actions

Upon receipt of public key material from a VHL Sharer or VHL Receiver, the Trust Anchor SHALL validate, organize, sign, and expose the PKI material as part of a trusted, canonical trust list.

This signed trust list enables all participants in the VHL trust network to verify digital signatures and establish secure connections in accordance with the governance policies of the Trust Anchor.

2:3.YY1.4.2 Publish PKI Material Response Message

There is no Publish PKI Material Repsonse Message defined in this profile. This is up to the implementing jurisidiction of the Trust Anchor

2:3.YY1.5 Security Considerations

The secure and verifiable exchange of public key infrastructure (PKI) material is foundational to the operation of a Verified Health Link (VHL) trust network. Any compromise in the integrity, authenticity, or provenance of this material undermines the ability of network participants to verify digital signatures, authenticate service endpoints, or enforce trust relationships.

Accordingly, implementers SHOULD ensure that:

• Submission and retrieval of PKI material occurs only over secure channels (e.g., mutually authenticated TLS),
• Submitted key material includes cryptographic proof of origin (e.g., embedded signatures or certification paths),
• Each key’s usage scope and validity period are clearly defined and enforced,
• All accepted material is validated against the criteria and policies established by the Trust Anchor’s governance authority.

Jurisdictions MAY define additional security controls, such as key size requirements, certificate chaining policies, Certificate Revocation List (CRL) or OCSP usage, offline verification workflows, or restrictions on submission endpoints.

The Trust Anchor SHOULD reject key material that fails to meet the validation requirements established by the trust framework or the implementing jurisdiction.