IETF Logo Mail Archive

Re: [saag] Interest COVID-19 'passport' standardization?

Eric Rescorla <ekr@rtfm.com> Fri, 30 July 2021 18:30 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B33B3A09A8 for <saag@ietfa.amsl.com>; Fri, 30 Jul 2021 11:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iee-Y_jNdTVV for <saag@ietfa.amsl.com>; Fri, 30 Jul 2021 11:30:35 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA4D53A09C6 for <saag@ietf.org>; Fri, 30 Jul 2021 11:30:27 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id k3so10380827ilu.2 for <saag@ietf.org>; Fri, 30 Jul 2021 11:30:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GTHiU9lP47PQb4DtuPH4rbQdUsH712ryEJnPbbnjzyA=; b=afAClasfPyvB9koiqqZDkOB8CmiBiL+TWHSjiDGY6MDoBaSPRc2myxQGCH4YppP8v7 73NVLNN39P8UZQ+8ML5aqdy0VmLEse1oWB9CA2nbZ0aYnpRoBJsXltbOkiYKMaVDWO77 Q+hPzgMu/vNGBYnCLBInD1t5TBEOLoPuUBs6ocqWfqNG68eTybHu2qdjLXR1vF6WYbkG QLi2GRlkwfWwky+qhqhgVOVeFnYXmv1qw7KFaAWnrbDA6oAiJUMmFwgsWR16msRFJtsk 5fccRfN5IuzFf8ybW4N4aF/fDkqy0pvccwsMUCJ9I45zF8NkBZMCk379a0SyKVNZrEp0 9OfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GTHiU9lP47PQb4DtuPH4rbQdUsH712ryEJnPbbnjzyA=; b=pAKgZRaRm9JkZuKEaXkXiDKF9g6gDmyxyaTyLezeYPiDHodAZgJYK+tYx2hvFW8RyI 5kr5aTF6+Mm7jD5ai//iTNzWLW5SHAlf87hN/qfJ1xUeEekgoYxBqIu1iJMYZaxoolVm 9/5/FQI3J0/gMRcv5R830sSfNs4mQbHBp6MtN+uBQIIihN9FCTRggvDCftQfWaiWq+v9 OCnwmSJ0lFO3cr9YGx/9exJghJbCrv0zdKqfv/jyT9zj1bTHr5x7XLwT5ys44BoavFgW BryeAT5M0nrLtJKn1YCeLHbAluYEGjiXstCtl6xpUTRBoXaC/xBoR8nWW0PrlrHWcK4I OKOA==
X-Gm-Message-State: AOAM533uGD2oZlxgZK3eJ04gSGJ59Ro9RsmY9s1yPqTCQHm0RHITX3l4 iJ+yUWdqZBfBtXPG0IgSgiez2uLr9gW3J2JUQ1R36Q==
X-Google-Smtp-Source: ABdhPJzyypIDrINSfAxxoqZ3t58i4+MRpNU7eMGzpfwJwoiIW/ybRdOODJMugIOhndXr9Xq6zlAAgz685zPdm4l6P24=
X-Received: by 2002:a05:6e02:f54:: with SMTP id y20mr2045146ilj.56.1627669826137; Fri, 30 Jul 2021 11:30:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com>
In-Reply-To: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 30 Jul 2021 11:29:49 -0700
Message-ID: <CABcZeBO56B0YwEm5dbyp1=L_TN+EemoqGt6xDCPzMDRboDZVUw@mail.gmail.com>
To: Harry Halpin <hhalpin@ibiblio.org>, IETF SecDispatch <secdispatch@ietf.org>
Cc: IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc883605c85b6973"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/k93NqHR1LbBxsVKWuLJMPiP9OG4>
Subject: Re: [saag] Interest COVID-19 'passport' standardization?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 18:30:42 -0000

To recap my comments on CFRG:
There seems to be a lot of enthusiasm for this in various forums, and it's
largely not well coordinated, with each group (the EU, VCI, etc.) doing
their own thing, and producing work of various levels of quality. Before
the IETF got involved, I'd want to see some evidence that the various
players are interested in a common standard and want to do one here, lest
we end up with XKCD 927.

FWIW, I've spent a bunch of time looking at the various proposals. If
people are interested they can find it at:
https://educatedguesswork.org/tags/vaccine%20passports/

-Ekr




On Fri, Jul 30, 2021 at 11:18 AM Harry Halpin <hhalpin@ibiblio.org> wrote:

> Everyone [and apologies if you already got this message on CFRG or
> SECDISPATCH],
>
> While the research community and industry was very quick to work on
> privacy-enhanced contact tracing, I've seen very few people taking the much
> more pressing issue of COVID-19 passports.
>
> If this IETF111 was in person, we could have done an informal BoF, but as
> its' not, I'm sending out an email to gauge interest.
>
> I've earlier seen some very badly done academic work using W3C "Verified
> Credentials" and W3C Decentralized Identifier (DID) standards [1]. However,
> while a bunch of sketchy blockchain technology has not been adopted (so
> far, although I believe IATA and WHO are still being heavily lobbied in
> this direction), there has been the release of the EU "Green" Digital
> Credentials that actually uses digital signatures.
>
> However, there's a number of problems:
>
> * No revocation in case of compromise
> * Privacy issues, i.e. leaking metadata
> * Limited key management (booster shots might require)
> * No use of standards for cross-app interoperability
>
> Furthermore, there appears to be differences between countries, and some
> countries do not use cryptography at all (the US). Therefore, as an
> American in France who flew home ASAP to get vaccinated in the US, as a
> consequence of this lack of interoperability I can't travel on trains or
> eat at restaurants easily, despite being vaccinated. I imagine this will
> become a larger problem.
>
> I have a report I'm willing to share, but I'd first like to know if
> there's any interest in standardization on this front at the IETF despite
> this topic being, I suspect, a bit of  astretch of our remit. However, we
> live in interesting times.
>
> I don't think the W3C (or the ITU, etc.) has the security expertise, and
> while the crypto and security/privacy here is pretty simple, I think it
> should happen somewhere.
>
> While I originally polled it by CFRG IRTF to see if there was any interest
> whatsoever, Benjamin Kaduk pointed out SAAG and SECDISPATCH would be better
> places to start. I'd like to know what others think.
>
>           yours,
>              harry
>
> [1] https://arxiv.org/abs/2012.00136
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.8.7 | Report a Bug | By Email