[Cbor] European Digital Health Certificates (used in European Digital Green Certificates = Vaccination certs)

Carsten Bormann <cabo@tzi.org> Sat, 12 June 2021 12:48 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AC4383A1100; Sat, 12 Jun 2021 05:48:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id d5Kuzt81LoOf; Sat, 12 Jun 2021 05:48:06 -0700 (PDT)
Received: from gabriel-2.zfn.uni-bremen.de (gabriel-2.zfn.uni-bremen.de [IPv6:2001:638:708:32::19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF24B3A10FE; Sat, 12 Jun 2021 05:48:05 -0700 (PDT)
Received: from [] (p548dcc89.dip0.t-ipconnect.de []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4G2HYt1MQhz2xGX; Sat, 12 Jun 2021 14:48:02 +0200 (CEST)
From: Carsten Bormann <cabo@tzi.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mao-Original-Outgoing-Id: 645194881.772979-915c1e183e04e5c42d7d01420002e88d
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Sat, 12 Jun 2021 14:48:01 +0200
Message-Id: <D8489E8F-F55B-47E5-9D8F-867BB04998C2@tzi.org>
To: cose@ietf.org, cbor@ietf.org
X-Mailer: Apple Mail (2.3608.
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/M07MvOOyQlw-0P9i2GYYFd8hSbM>
Subject: [Cbor] European Digital Health Certificates (used in European Digital Green Certificates = Vaccination certs)
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2021 12:48:11 -0000

Given that we occasionally look at how other SDOs use CBOR, COSE, etc.:

This week here in Europe, everybody talks about (Covid-19) “vaccination certs”.

European Digital Health Certificates (as used in the European Digital Green Certificates “DGC” for Covid-19) use CBOR and COSE.

This development had to happen quickly, so you it was run in the open; you find lots of information in github.
It is entertaining and educational to read the discussions on the github repos, e.g.,

»It's very easy to decode HCERT. I coded our HCERT verifier in 4 hours without knowing anything about CBOR and COSE (I have used LD-Profs in the past, but not COSE-based certs).« [1]

It is also interesting that one of the problems they had was with QR-Code integration.  E.g., the base45 ASCII-funneled encoding they are using [2] contains percent characters, which unsurprisingly get mangled by some smartphone QR-Code readers (who try to percent-decode them as URIs).  (That would have been easily avoidable at zero additional cost by using a base41-style encoding instead and using a less risky charset subset.)

Also, they are using zlib (deflate) to “compress” the COSE, except that it doesn’t [3].

We may not pay much attention to these integration issues in our IETF WGs, but they are really important to make the whole package work.

Maybe we can find someone to talk about practical aspects of DGC and related efforts at one of the next CBOR interims...

Grüße, Carsten

(Thanks to Emmanuel Baccelli for alerting me to this…)

[1]: https://github.com/ehn-dcc-development/hcert-spec/issues/64#issuecomment-830692153

[2]: https://datatracker.ietf.org/doc/html/draft-faltstrom-base45

[3]: https://github.com/eu-digital-green-certificates/dgc-testdata/issues/284