Re: [CFRG] Question over COVID-19 'passport' standardization?

Harry Halpin <> Fri, 30 July 2021 18:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9096A3A09CE for <>; Fri, 30 Jul 2021 11:32:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xncU5my93GKL for <>; Fri, 30 Jul 2021 11:32:16 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A46E03A09C6 for <>; Fri, 30 Jul 2021 11:32:15 -0700 (PDT)
Received: by with SMTP id h8so14456513ede.4 for <>; Fri, 30 Jul 2021 11:32:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=HNbg+/EKAGDHwjKepnqnrNLE4MTkBYET1zMzHl7qR1U=; b=d024IJStnnJvnKaqaPZtBS+KpI2JTbF/HAVT6Gir8nDIlFWJF1tdhwFfRZkCiJ4ATU RHsCTBNPOYxQUwZ75RKZ29mx8U7yHODXVt6nfDPSQHDwH0wYVAO7eWhqAHy7ltHvoP3c bHoT3YO+xg0eEkFsgY+GehVrQo6GoVCaNLtaI0vquqF5uMdI+HJiDosCFivG/g0rWNFU IgtF23RGbmtHoBqoemcl8lJpsi93VTE96SQRZt9cC3jk3/y9FkIXt38cQC2Q0SgxDDAa UwGm0HGdU5ytWwvpCrWpiL67tjeGs6vucbhqq0teazW/JqKUC4LqI2P2twBrkKqInHW1 D1/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=HNbg+/EKAGDHwjKepnqnrNLE4MTkBYET1zMzHl7qR1U=; b=rMu7RYVwZXzgzW+zDM+YCCThwaetQsAgVkV0VUO7gu+NzrwMGq++5Ilmph6+Z3r3v6 dffIeDL14wiwcLo83UOt4SyZjNtDLByRya9M8e1bW+ia+n/0LdoYmh1pNTAA0HSOGt8v Kt6cx9zjYl9DZab8aON9hFN6E8Xc4557O85nE7Eytu/bx58LOPS2lL3qevJ8NKG3tWRC MElmHkQLyX1JeJK9KstN2yhmo8FQZvczdpmtgaZd6tRsl6FxcaizdeEfRROsnGKYfhnI 8Vsm00FWcxlVnWebZJvMT5wmXWJBd3llZYtvH4oIjovl/5FrOuUtlARpEH61XTRGVGH+ Y2Mw==
X-Gm-Message-State: AOAM530kgcKLvvNXxNI6VGUKupvS8w6hdX8mEeQnn16SZNFaTHpkF9eS csyCisVbm1kuyC3UIiHkLbYWoH5oh0fMGI8Kz6zfor9yllNqcReq
X-Google-Smtp-Source: ABdhPJxGA4NSNR1qUYc8IvDqKP+MoN6AwZ6xfyGHIGoEesX0Vuy9SXoW2I1m7QjV2/MiHv24m9cbOnnauRVbacPFhIs=
X-Received: by 2002:aa7:c857:: with SMTP id g23mr4493728edt.100.1627669933514; Fri, 30 Jul 2021 11:32:13 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Harry Halpin <>
Date: Fri, 30 Jul 2021 20:32:02 +0200
Message-ID: <>
Content-Type: multipart/alternative; boundary="00000000000032f8ad05c85b7017"
Archived-At: <>
Subject: Re: [CFRG] Question over COVID-19 'passport' standardization?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Jul 2021 18:32:21 -0000


Thanks for the procedural note - just gauging interest (as this is the main
list I follow in the I*TF circles), but I just sent the message to gauge
interest in SAAG and SECDISPATCH.

Vaccine passports are obviously an international issue, and while I see
some major players in the "Vaccine Certificates Initiative" (VCI) like
Microsoft, Google, and Apple, I would also be worried as I seem
blockchain-pushers like Consensys Health that have backed the rather
insecure and privacy-invasive W3C "Verified Credential" approach (which
doesn't even have a normalization algorithm, and so risks repeating all the
mistakes of XML-DSIG on RDF data) rather than use something sane like
JOSE/COSE. Likewise, VCI features the Commons Project, whose "CommonPass"
was the first vaccine passport to be beta-tested between the UK and US, but
this rather mysterious group doesn't even have an open source
implementation or design doc. Thus, as a private member-only group without
open docs or an open github/mailing list, I'm not so sure I trust VCI to
pull off something that works well in terms of security or privacy as a
'real' standard should have.

So while I'd prefer not to have vaccine passports due to ethical concerns,
and yet at this point they seem likely to happen as some sort of
international standard whether I like it or not, and it seems like (at
least in France) the roll-out has been rather rushed from a privacy and
security standpoint.

I can't honestly think of another venue than the IETF, although the venue
selection seems odd.


On Fri, Jul 30, 2021 at 8:03 PM Benjamin Kaduk <> wrote:

> Hi Harry,
> Some arguably-pedantic process-adjacent notes: CFRG is a group of the
> Internet Research Task Force, which does not produce standards.  (It does
> have a bunch of smart people who know a lot about crypto, security, and
> privacy, of course.)
> There's also various fora at the Internet Engineering Task Force that cover
> security and privacy, often by way of cryptography, and the IETF does
> produce standards.  So, if the goal is to "produce a standard", starting at
> the IETF SECDISPATCH or SAAG groups might be appropriate.  If the goal is
> just to produce the right technology regardless of what it's called, then
> I'm not really sure what objections there would be to covering it here.
> -Ben
> On Fri, Jul 30, 2021 at 07:47:13PM +0200, Harry Halpin wrote:
> > Everyone,
> >
> > While the research community and industry was very quick to work on
> > privacy-enhanced contact tracing, I've seen very few people taking the
> much
> > more pressing issue of COVID-19 passports.
> >
> > I've earlier seen some very badly done academic work using W3C "Verified
> > Credentials" and W3C Decentralized Identifier (DID) standards [1].
> However,
> > while a bunch of sketchy blockchain technology has not been adopted (so
> > far, although I believe IATA and WHO are still being heavily lobbied in
> > this direction), there has been the release of the EU "Green" Digital
> > Credentials that actually uses digital signatures.
> >
> > However, there's a number of problems:
> >
> > * No revocation in case of compromise
> > * Privacy issues, i.e. leaking metadata
> > * No key management (booster shots might require)
> > * No use of standards for cross-app interoperability
> >
> > Furthermore, there appears to be differences between countries, and some
> > countries do not use cryptography at all (the US). Therefore, as an
> > American in France who flew home ASAP to get vaccinated in the US, as a
> > consequence of this lack of interoperability I can't travel on trains or
> > eat at restaurants easily, despite being vaccinated. I imagine this will
> > become a larger problem.
> >
> > I have a report I'm willing to share, but I'd first like to know if
> there's
> > any interest in standardization on this front at the IETF despite this
> > topic being, I suspect, a bit of  astretch of our remit. However, we live
> > in interesting times.
> >
> > I don't think the W3C (or the ITU, etc.) has the security expertise, and
> > while the crypto and security/privacy here is pretty simple, I think it
> > should happen somewhere. So I thought polling it by CFRG IRTF would be a
> > good idea to see what would happen, as the CFRG has probably the largest
> > security/privacy expertise in the wider IETF circles.
> >
> >           yours,
> >              harry
> >
> > [1]
> > _______________________________________________
> > CFRG mailing list
> >
> >