Re: [CFRG] Question over COVID-19 'passport' standardization?

Eric Rescorla <> Fri, 30 July 2021 18:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B05FB3A085F for <>; Fri, 30 Jul 2021 11:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GFZu1QnCzbDu for <>; Fri, 30 Jul 2021 11:02:34 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D8233A085D for <>; Fri, 30 Jul 2021 11:02:34 -0700 (PDT)
Received: by with SMTP id d10so10278399ils.7 for <>; Fri, 30 Jul 2021 11:02:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RiulNb81jpX31CBNo1tKMQp7FcgIVphK0a2c6wtdVQI=; b=ivor+8tCnG5HW4DVffxcujVP779OK9Yl4930KsxBhkvLAt7od/O0Cle2h2UvVZ+pFD OaY0g2OBOSRq8R1wwpECBYAbM67BiZe0bh3+YK0d1idFLOfte0gdEV3E1g/Aa0d6HTZ6 sszGoh2C+PvtuM1DKBKLhefTppZhuxIqDnfX1JpWYcYDXBvSgRQNdhDfvBHn4xySLfx/ vmoowF1DC4kBE0TaXKbhl/MfURr1g2u/+oxHRkn7WxqZHHM5GzsiXNg1BzLP+5tgoczh Bw2/wh3ptIjQit7xOFiqCB73tvR1Y07zBlHrdmgdjULX4aC06biVxpOmjJsDrQmq9lir SV1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RiulNb81jpX31CBNo1tKMQp7FcgIVphK0a2c6wtdVQI=; b=ID8h8dJMPcEMSQd8529i2E8KhnJgb5TMfJbD++DIxhU2IhQZmXs1e6r/cHM5C6AyJt w6uKYFiJluBs2Oesrgo3/G3AH1zNqyUpIwYMwQWg/GwkmWvVUcqsVgO9MYtKADFWQKlT 9J+0HXGIfiiAqPt6FU0ZeJAkF5Z/CAewQqcbM53mTDGIy9zfjhMvlHRNe7qfzVmqg9rh jNsPJib80cTfw4HUrp1SnF3ktnvZ2z0A/+fIvVeZu3xKJRE+2j5yPGgt5dhWLO8bZ6Xp jWck5j22hsf+yk+y72Zirn7CNXkFyhfBLxuKpl8s1C+vEUX8h7s06mmKFmohxEX1B0l1 5reg==
X-Gm-Message-State: AOAM532RCKc2THfbOw/MTsw+fMWdE2YSTJYAH/dQ2xEacJhzYZy6Zwdm h7xhiMm9gkAG/XP24hUkY/vroFfnURNtn2tKVBBZQg==
X-Google-Smtp-Source: ABdhPJy6G9bcwpFWDNvLhsejkes/ePJWT4mk9Bh3xKxSTbweE9oA3meKvIc+Rj8z5y78Xqi6sXLPMZF87o59s9rtPmE=
X-Received: by 2002:a05:6e02:1aae:: with SMTP id l14mr1020236ilv.35.1627668152928; Fri, 30 Jul 2021 11:02:32 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Fri, 30 Jul 2021 11:01:56 -0700
Message-ID: <>
To: Harry Halpin <>
Cc: cfrg <>
Content-Type: multipart/alternative; boundary="000000000000115d3c05c85b0601"
Archived-At: <>
Subject: Re: [CFRG] Question over COVID-19 'passport' standardization?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Jul 2021 18:02:39 -0000

On Fri, Jul 30, 2021 at 10:47 AM Harry Halpin <> wrote:

> Everyone,
> While the research community and industry was very quick to work on
> privacy-enhanced contact tracing, I've seen very few people taking the much
> more pressing issue of COVID-19 passports.
> I've earlier seen some very badly done academic work using W3C "Verified
> Credentials" and W3C Decentralized Identifier (DID) standards [1]. However,
> while a bunch of sketchy blockchain technology has not been adopted (so
> far, although I believe IATA and WHO are still being heavily lobbied in
> this direction), there has been the release of the EU "Green" Digital
> Credentials that actually uses digital signatures.
> However, there's a number of problems:
> * No revocation in case of compromise
> * Privacy issues, i.e. leaking metadata
> * No key management (booster shots might require)
> * No use of standards for cross-app interoperability

In case people are interested, here are my comments on the EU proposal

And a link to my comments on other proposals as well:

Re the EU: I'm not sure I entirely agree with your assessment. For
instance, the DGC does seem to have key management.

> Furthermore, there appears to be differences between countries, and some
> countries do not use cryptography at all (the US).

Well, there is no national system at all in the US, but there are systems
based on digital signatures in several states. For instance, California and

I don't think the W3C (or the ITU, etc.) has the security expertise, and
> while the crypto and security/privacy here is pretty simple, I think it
> should happen somewhere. So I thought polling it by CFRG IRTF would be a
> good idea to see what would happen, as the CFRG has probably the largest
> security/privacy expertise in the wider IETF circles.

As you say, this is pretty straightforward technically, so if there were to
be an I*TF effort, it should probably be an IETF WG rather than in the
CFRG. With that said, while I think standardization would be valuable, ISTM
that the problem here is a bunch of independent standards proceeding, so
I'd want to see some evidence that the various players (EU, VCI, etc.) were
interested before starting off, lest we fall into XKCD 927.