IETF Logo Mail Archive

Re: [saag] Interest COVID-19 'passport' standardization?

Carsten Bormann <cabo@tzi.org> Mon, 02 August 2021 13:26 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B7283A1DCC for <saag@ietfa.amsl.com>; Mon, 2 Aug 2021 06:26:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PiQpN6qK1YCf for <saag@ietfa.amsl.com>; Mon, 2 Aug 2021 06:26:24 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 789603A1DCB for <saag@ietf.org>; Mon, 2 Aug 2021 06:26:24 -0700 (PDT)
Received: from [192.168.217.118] (p548dcc89.dip0.t-ipconnect.de [84.141.204.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4Gdf0P25Pyz2xK7; Mon, 2 Aug 2021 15:26:12 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <E0FDB1EE-256D-4925-9EE7-49DE212BFF02@gmail.com>
Date: Mon, 2 Aug 2021 15:26:03 +0200
Cc: IETF SAAG <saag@ietf.org>
X-Mao-Original-Outgoing-Id: 649603561.981208-4d7ea745dc68379f381222014801527d
Content-Transfer-Encoding: quoted-printable
Message-Id: <360C07DB-2B3A-4CDF-9747-31D2FCBABFC4@tzi.org>
References: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com> <CADPMZDBu2cbtWk7Y4YMKXOWXQoKsBkAD9D1AuC_Rp+9xHawX7w@mail.gmail.com> <E0FDB1EE-256D-4925-9EE7-49DE212BFF02@gmail.com>
To: Henry Story <henry.story@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/33g_Yb6ETFGByAHgqIiOYQHh9cI>
Subject: Re: [saag] Interest COVID-19 'passport' standardization?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 13:26:27 -0000

On 2021-08-02, at 13:41, Henry Story <henry.story@gmail.com> wrote:
> 
> In the end we are all going to get it: vaccines rollouts are indeed aiming 
> at doing just that. So that is why I would not be that worried about privacy 
> with such Credentials. 

I’m not sure that I understand what you are saying.

Clearly, the DGC is a privacy disaster: To enable checking that it actually pertains to me, I need to present some government ID, which reveals my wallet name (and often much more information).

Since we don’t have any other way to link the DGC to a physical person except via (the tenuous link of) a government ID, there was no other way to get the DGC out quickly.

But I sure hope there will be a 2.0 process at some point that doesn’t automatically reveal all the information on my government ID.

This is not a theoretical concern, as I may need to use my DGC to get access to a place where I’d definitely want to use directed identity.

Grüße, Carsten

v2.8.7 | Report a Bug | By Email