Re: [CFRG] Question over COVID-19 'passport' standardization?

Benjamin Kaduk <> Fri, 30 July 2021 18:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 32AB13A085D for <>; Fri, 30 Jul 2021 11:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N3rZL3m9LHwu for <>; Fri, 30 Jul 2021 11:03:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B5D9E3A0863 for <>; Fri, 30 Jul 2021 11:03:31 -0700 (PDT)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 16UI3NYd019056 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Jul 2021 14:03:28 -0400
Date: Fri, 30 Jul 2021 11:03:22 -0700
From: Benjamin Kaduk <>
To: Harry Halpin <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [CFRG] Question over COVID-19 'passport' standardization?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Jul 2021 18:03:36 -0000

Hi Harry,

Some arguably-pedantic process-adjacent notes: CFRG is a group of the
Internet Research Task Force, which does not produce standards.  (It does
have a bunch of smart people who know a lot about crypto, security, and
privacy, of course.)
There's also various fora at the Internet Engineering Task Force that cover
security and privacy, often by way of cryptography, and the IETF does
produce standards.  So, if the goal is to "produce a standard", starting at
the IETF SECDISPATCH or SAAG groups might be appropriate.  If the goal is
just to produce the right technology regardless of what it's called, then
I'm not really sure what objections there would be to covering it here.


On Fri, Jul 30, 2021 at 07:47:13PM +0200, Harry Halpin wrote:
> Everyone,
> While the research community and industry was very quick to work on
> privacy-enhanced contact tracing, I've seen very few people taking the much
> more pressing issue of COVID-19 passports.
> I've earlier seen some very badly done academic work using W3C "Verified
> Credentials" and W3C Decentralized Identifier (DID) standards [1]. However,
> while a bunch of sketchy blockchain technology has not been adopted (so
> far, although I believe IATA and WHO are still being heavily lobbied in
> this direction), there has been the release of the EU "Green" Digital
> Credentials that actually uses digital signatures.
> However, there's a number of problems:
> * No revocation in case of compromise
> * Privacy issues, i.e. leaking metadata
> * No key management (booster shots might require)
> * No use of standards for cross-app interoperability
> Furthermore, there appears to be differences between countries, and some
> countries do not use cryptography at all (the US). Therefore, as an
> American in France who flew home ASAP to get vaccinated in the US, as a
> consequence of this lack of interoperability I can't travel on trains or
> eat at restaurants easily, despite being vaccinated. I imagine this will
> become a larger problem.
> I have a report I'm willing to share, but I'd first like to know if there's
> any interest in standardization on this front at the IETF despite this
> topic being, I suspect, a bit of  astretch of our remit. However, we live
> in interesting times.
> I don't think the W3C (or the ITU, etc.) has the security expertise, and
> while the crypto and security/privacy here is pretty simple, I think it
> should happen somewhere. So I thought polling it by CFRG IRTF would be a
> good idea to see what would happen, as the CFRG has probably the largest
> security/privacy expertise in the wider IETF circles.
>           yours,
>              harry
> [1]

> _______________________________________________
> CFRG mailing list