Hacker News new | comments | show | ask | jobs | submit login

This is pretty common in the commercial world too, and something I've done more than once myself. The obvious use case is storing medical records.

In the UK personal medical records are often stored by systems integrators in datacentres with nebulous locations, and need to be accessed by third parties for things like underwriting life insurance policies.

To protect the data (compliance with the EU data protection act) it's encrypted in transit AND at rest. Access to data by third parties is managed through AMRAs (access medical record authorisation), which are completed by the third party, authorised by the data owner (private individual) and given to the data owner's general/dental practitioner or pharmacist, who is able to access and decrypt and appropriately share the sensitive data.

Are AMRAs kinda like "stored procedures" then?

AMRAs are like physical documents with an instruction to the information guardian, with a signature from the information owner, authorising access.

A lot of it is electronic these days, and is automated to the point that an individual authorises access by clicking a link in an email that calls an endpoint that in turn releases a token and URL to the requestor to view the appropriate records.

So like OAuth?

Partly. OAuth is authentication (who I am), which is part of it, but the real point is authorisation (what I can do).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact