[CFRG] Question over COVID-19 'passport' standardization?

Harry Halpin <hhalpin@ibiblio.org> Fri, 30 July 2021 17:47 UTC

Return-Path: <hhalpin@ibiblio.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5E2C43A07BD for <cfrg@ietfa.amsl.com>; Fri, 30 Jul 2021 10:47:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibiblio-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Gr7ZD8Lmx8gq for <cfrg@ietfa.amsl.com>; Fri, 30 Jul 2021 10:47:26 -0700 (PDT)
Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 568023A07BC for <cfrg@irtf.org>; Fri, 30 Jul 2021 10:47:26 -0700 (PDT)
Received: by mail-ej1-x641.google.com with SMTP id o5so18247987ejy.2 for <cfrg@irtf.org>; Fri, 30 Jul 2021 10:47:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibiblio-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=sJlL2VR1ce5znNq2xMXxe3xu0McOz4HEysXwSjaAR/g=; b=1mdtCJ3lPAxEHmxi01kN4DxHT39hLPGOhXA9stTasIK+vdwogDcH7RuRihqRfGW0XH 6Dxf/ZL6bM4ry8SN9CuHZQLWvgMWSdqC9SIQ9jMIbNWQVxiyc4rWyQoLtFKC2i/7/dpQ 4b1vN/5m69QU6MhDA0B3f7IKVQRITxrDhFmZ9bPcotHs8A/cETDmevq6MQMP9jlvqxSW MF3XMIRT3xj5OdQ3Zfe60P+q+D5MWCIrFmPM8CpjVWNUpOu/rYE9M2lsJZ+xh4/6SQtb B5WtTjo6D7bEFCuXsIlc8Oy+6a5/2vnOCOekvxwYRX1EYH95ukDWlFDmzeyufQ4PQkji Kjtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=sJlL2VR1ce5znNq2xMXxe3xu0McOz4HEysXwSjaAR/g=; b=DgODGSjkFTK744IJlBhKtaSTZr8bzlpLm4Ac7+KZG6mp3wPS8cACtx4C386Z03YcMY 6UUIKfdlK9DFgJ9sHHPNrXhRuotXkMnKNhxFC09qcd/f7HqbyKbaXL23eRTa3XM0E37q gTqDtJ6Oqt7xQMCEi50e+4AqzIEpfZA2huiAfOwNU9VAj5IgSGcC/wiPAY/lUlylghGf vN9T+VrfSl/IVtHb7loqAjDqy9vfJNbWY1csH8/2cZx3B7w+r7D63xwoSjoAcUh5fEXD QtTMNiNQItzX0JdrgjZOcoSi0g53tqM0vYuC0N8gTAEbg0b+2gHqNLkr8smRfMxA8rX4 G6GA==
X-Gm-Message-State: AOAM531Nl7dEUDepdf5V5EAwx0Uy74nvUjKanaUVhoAZIELVgvlverS5 i5lL1SeGhqjCebw0T0lO3F6qur4IIT5KwUhOPbnreapQAzmY2Ptbdnw=
X-Google-Smtp-Source: ABdhPJxMd5biwSRGuSLgoUCLl3aSZmeMjNTXZfhav1ZBZs+ItFAv8hQWRe5XFzsyiuK5Ha8GejG4rsZfgY8R4JHccys=
X-Received: by 2002:a17:907:75f6:: with SMTP id jz22mr3733120ejc.216.1627667244089; Fri, 30 Jul 2021 10:47:24 -0700 (PDT)
MIME-Version: 1.0
From: Harry Halpin <hhalpin@ibiblio.org>
Date: Fri, 30 Jul 2021 19:47:13 +0200
Message-ID: <CAE1ny+6PweMpP4jc-G06VdUOM-d8sJ9VraFs-QJ2=BgOegv9MA@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000e5a0dd05c85acf55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NP_QBDKQLtlI1fgbWOe7giXeo78>
Subject: [CFRG] Question over COVID-19 'passport' standardization?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 17:47:31 -0000


While the research community and industry was very quick to work on
privacy-enhanced contact tracing, I've seen very few people taking the much
more pressing issue of COVID-19 passports.

I've earlier seen some very badly done academic work using W3C "Verified
Credentials" and W3C Decentralized Identifier (DID) standards [1]. However,
while a bunch of sketchy blockchain technology has not been adopted (so
far, although I believe IATA and WHO are still being heavily lobbied in
this direction), there has been the release of the EU "Green" Digital
Credentials that actually uses digital signatures.

However, there's a number of problems:

* No revocation in case of compromise
* Privacy issues, i.e. leaking metadata
* No key management (booster shots might require)
* No use of standards for cross-app interoperability

Furthermore, there appears to be differences between countries, and some
countries do not use cryptography at all (the US). Therefore, as an
American in France who flew home ASAP to get vaccinated in the US, as a
consequence of this lack of interoperability I can't travel on trains or
eat at restaurants easily, despite being vaccinated. I imagine this will
become a larger problem.

I have a report I'm willing to share, but I'd first like to know if there's
any interest in standardization on this front at the IETF despite this
topic being, I suspect, a bit of  astretch of our remit. However, we live
in interesting times.

I don't think the W3C (or the ITU, etc.) has the security expertise, and
while the crypto and security/privacy here is pretty simple, I think it
should happen somewhere. So I thought polling it by CFRG IRTF would be a
good idea to see what would happen, as the CFRG has probably the largest
security/privacy expertise in the wider IETF circles.


[1] https://arxiv.org/abs/2012.00136