IETF Logo Mail Archive

Re: [saag] [Secdispatch] Interest COVID-19 'passport' standardization?

Harry Halpin <hhalpin@ibiblio.org> Fri, 30 July 2021 22:09 UTC

Return-Path: <hhalpin@ibiblio.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65FB3A1338 for <saag@ietfa.amsl.com>; Fri, 30 Jul 2021 15:09:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibiblio-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WaBOnmontb81 for <saag@ietfa.amsl.com>; Fri, 30 Jul 2021 15:09:29 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EF873A1324 for <saag@ietf.org>; Fri, 30 Jul 2021 15:09:29 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id x90so15156737ede.8 for <saag@ietf.org>; Fri, 30 Jul 2021 15:09:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibiblio-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HrIh+RcS2eTIh6l4IrDym/kQzORY5J7tvcL0WCGmmxI=; b=p1igT820tEQEshXxLEVgOERSJDpKNAoexJXjP+7FB0sN8YQN2qtgfxV4Jbh6HVdU4f fH5eOoVJUe1V3xRPpVzDjeVQNzLAB0QFobMtoOeq4DYEdcumyy9jCTrGBxBVrm2JRhGi W9fWcWr6e5YFQ9fYaq0Y4Or4KElR0uy5htEbLubAGvQtnyJW5j3GW62xgOhsKROfNpcr gpuqIee+W3dCpXKBlKVytH027u1EeXcL5qvVGm7vRIRO8jr2CPj/GbI0u4dLfnQEdMhA VaDw5vc1zv90zZ8iPWJvTBgYr7hVFEcaOBYHsZUGN90YkXfXzNWX1SRD4uMCpg+DZDBx 16+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HrIh+RcS2eTIh6l4IrDym/kQzORY5J7tvcL0WCGmmxI=; b=rjSU1AZ113To7SWbYcgvd1nNtwBRk2elC0UuDNwh8dFlaWpjWVrWh8n7ViMZNkEZBo KaEzhTV/JerU73BwH2H2w1uZdd1KJ9u8Zblum6lg7GeWu4wKXu3SZ7UCuXc2Bk76oVsh ESw24zDVpn1FLE/Su83dQvl3ffUf4NceUzPXUfrSjrtRcQNnZqQrqQsMX5x/kzzk89gX LIgmB7sjQtV7AiJEKYmJrhmql1IMkTn0GHBI17nsCmvC0w6g948iOxC+I6+ENIrcMuO2 nkmiZro392+ZDQdZXpT5Nrz2XTob9w/EXxyBIu7knltMqMOy+PHCfeQ7x8BROBd00Jpn G1bQ==
X-Gm-Message-State: AOAM531oKbKYrp1JfbhKSB/x/lhahEpDORBJ0FGAX+t+8c3KlOws8SC3 gt0XCSPw4EyshrbDV5wlAt1UCVDJGAConVwJxpyq0w==
X-Google-Smtp-Source: ABdhPJy3pTmS/u9QLGy/ENKYag0PJArs/KGaCoEjDOqOJNWNz96aMagxVekR00d1WIKBEf6jtvmU4Jc7IFJPF7L8YHc=
X-Received: by 2002:aa7:c857:: with SMTP id g23mr5682970edt.100.1627682962541; Fri, 30 Jul 2021 15:09:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com> <CABcZeBO56B0YwEm5dbyp1=L_TN+EemoqGt6xDCPzMDRboDZVUw@mail.gmail.com> <7F5A47B0-4E26-4C51-AA21-6A6038A80A95@gmail.com> <CABcZeBNsjFaG9HZJ+0f3Czyikt3zpDkguveBh5id2rCHNNeAZg@mail.gmail.com> <66D90DC4-9BCF-4279-868E-61D5731EC2A4@webweaving.org>
In-Reply-To: <66D90DC4-9BCF-4279-868E-61D5731EC2A4@webweaving.org>
From: Harry Halpin <hhalpin@ibiblio.org>
Date: Sat, 31 Jul 2021 00:09:11 +0200
Message-ID: <CAE1ny+7AUUrV-yTFt_9Wp-M80yQZXWSgXGBf0TU2ddif92rgBw@mail.gmail.com>
To: Dirk-Willem van Gulik <dirkx@webweaving.org>
Cc: Eric Rescorla <ekr@rtfm.com>, IETF SecDispatch <secdispatch@ietf.org>, Henry Story <henry.story@gmail.com>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ca1e1d05c85e7811"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/J3PS2Yra1etG2wo6TguToeTRWQ4>
Subject: Re: [saag] [Secdispatch] Interest COVID-19 'passport' standardization?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 22:09:42 -0000

Everyone,

Good to see this conversation, and the contributions from Dirk have been
exceptionally relevant. In particular, I would put out of scope requiring
any verifier to be online and I would also put out of scope data formats
with limited real-world uptake, like W3C RDF and Verified Credentials. I
would focus on widely deployed standards, such as JOSE/COSE and TLS. In
this regard, the EU DGC has done well. I'd like to see international
comparison though, as I can imagine many other "proposals" or even working
systems are not using modern cryptography. I suspect there is definitely a
need for a privacy analysis that is more thorough than DGC has done
(surprised to see linkable signatures, centralized databases, and so on and
so forth) when we know how to build better and more in the EU
GDPR-compliant standards - although I suspect COVID-19 falls under a
national security derogation and so GDPR does not apply.

Not sure how many people are actually interested in chartering something
and the scope, but I'd be happy to host a meeting if someone is attending
IETF 111.

Although it may be rather late for some, I will be hosting a "side meeting"
virtually at the IETF 111 meeting today right after the CFRG IRTF meeting
ends. See the wiki for the link:
https://trac.ietf.org/trac/ietf/meeting/wiki/111sidemeetings

  yours,
    harry


On Fri, Jul 30, 2021 at 11:39 PM Dirk-Willem van Gulik <dirkx@webweaving.org>
wrote:

> On 30 Jul 2021, at 23:23, Eric Rescorla <ekr@rtfm.com> wrote:
>
> On Fri, Jul 30, 2021 at 2:19 PM Henry Story <henry.story@gmail.com> wrote:
>
>> The knowledge about the virus and the responses to it are evolving
>> very quickly, and so the flexibility of W3C Verifiable Credentials
>> comes in very handy here, as it is built on semantic web standards
>> built on top of first order logic, hypergraphs, and designed for
>> decentralisation, and evolvability.
>>
>
> I don't really agree with this claim. Some of the proposals here use
> VC and some do not, but they all seem roughly equally capable and
> flexible to me.
>
>
> From an implementor/designing perspective (both the NL domestic version
> -and- the EU DCC version)  — and although we tried very very hard - the
> absolute need for totally off-line use & preventing surveillance*, also, or
> especially by the issuing entities  (or blind trust in) combined with the
> inflexible state of the available semi-usable VC implementations and the
> very strong desire to have nothing ‘central’ and no ‘central trust’ - had
> us gradually evolve to something not quite VC. Despite this being the
> stated goal.
>
> So I think we have some useful lessons learned w.r.t. the importance of
> off-line / totally local validation.
>
> Dw
>
> *:  e.g. spiked certificates with something unlikely to be cached or
> requiring a very unique lookup/OCSP, etc.
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.8.7 | Report a Bug | By Email