Re: [Secdispatch] [saag] Interest COVID-19 'passport' standardization?
Henry Story <henry.story@gmail.com> Fri, 30 July 2021 21:19 UTC
Return-Path: <henry.story@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8AC23A1150; Fri, 30 Jul 2021 14:19:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4i08zK8l3FE; Fri, 30 Jul 2021 14:19:06 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B72DE3A114B; Fri, 30 Jul 2021 14:19:05 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id n11so6768911wmd.2; Fri, 30 Jul 2021 14:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YM39zn9eBMKwJ/7I1RrxKDJ7F4VpKrbmQ9686GWEt44=; b=NHJgnOVOCNcO07IEWU9cyNzKgLhrIRSnHwTp5bdMEx2lhX52xXFKxScoKHL/8XYn6Y 3QGf9uaZUr60KL3McTdD0mFqJasyIlCvzNnOYnQBc4UbdJ4dloG7SB5IkkEg+T3c1nIu TtDDolwmgaB4sxzWBu4RAK0FWt7HPAQBN2Jbu7tkMnZq4EJuiRnYKQctQ5K/aR0CCKbD 7OdwB+qUkNv090Idln6JVsqYIN/wprlFq0cIR+YNhF8RerSDzLGrogog9VF/GVFZU1F8 fBAJly4alb53gEnEYORSqW2nbphX+A780R4cfcU1ADv6c+bgV5z7+/Jt0VnJPGYX8Kz6 bylQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YM39zn9eBMKwJ/7I1RrxKDJ7F4VpKrbmQ9686GWEt44=; b=stLU677ADnmIkU+riulmb4ogxY62S7J87igg7Wh8G9mrlTZLusyAbuoQqndIcbGbUn EDBxzbnun5UK7+DtZ4+Ut+x7PqewrPlQcS0v5PlO9WWcEJ3NeOPRVOXz/esFcfxqA5gF 901f1sHrrP9kth3Kqg96mvvIDaHcLCjYWXKQUrHgCIGukmUQwcDWc4vTrNQM1PbR8INI YTY+0m8egTpN9pIFHQNjpglZAgnNe8jz//ITp9NDe9lIaQwyeLF0p86TaC951qmH7JFg HRPiLMqUIRaBKQIGrnyEfp9D2UftjESFBkcARVjC+HTeVOqv9ryeNP16R6zDPCI5HeTo CZzg==
X-Gm-Message-State: AOAM532QMhKz49x2sISpqdeZnfFYBl4KKn7CToNFT+1AkgKx0Dy5UVYD WfaiKVWxOsiVqVYmphbNYuk=
X-Google-Smtp-Source: ABdhPJxvTMl6kCsZkHGIzwO/caEp6r6AyqhckTpxE2yK2TF2XBjEdMrDCaeZ2MM+DTw1pNBlhfvOBQ==
X-Received: by 2002:a05:600c:2181:: with SMTP id e1mr5330816wme.112.1627679943476; Fri, 30 Jul 2021 14:19:03 -0700 (PDT)
Received: from smtpclient.apple (p200300cf1706260094ff9c7bbf6e9ada.dip0.t-ipconnect.de. [2003:cf:1706:2600:94ff:9c7b:bf6e:9ada]) by smtp.gmail.com with ESMTPSA id n4sm2706262wmq.1.2021.07.30.14.19.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 30 Jul 2021 14:19:02 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3686.0.1.2.1\))
From: Henry Story <henry.story@gmail.com>
In-Reply-To: <CABcZeBO56B0YwEm5dbyp1=L_TN+EemoqGt6xDCPzMDRboDZVUw@mail.gmail.com>
Date: Fri, 30 Jul 2021 23:19:01 +0200
Cc: IETF SecDispatch <secdispatch@ietf.org>, IETF SAAG <saag@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7F5A47B0-4E26-4C51-AA21-6A6038A80A95@gmail.com>
References: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com> <CABcZeBO56B0YwEm5dbyp1=L_TN+EemoqGt6xDCPzMDRboDZVUw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3686.0.1.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/CbNgTLCt-CMPtQ4zdUZXmUEn9Cg>
Subject: Re: [Secdispatch] [saag] Interest COVID-19 'passport' standardization?
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 21:19:11 -0000
I doubt that the problem with Covid credentials has to do with the format of the credentials, or even the signature technology used to sign them. The knowledge about the virus and the responses to it are evolving very quickly, and so the flexibility of W3C Verifiable Credentials comes in very handy here, as it is built on semantic web standards built on top of first order logic, hypergraphs, and designed for decentralisation, and evolvability. This flexibility is particularly important in a geo-political reality that covers many nations, with many different languages, different laws and no center of control. The verifiable Credentials standards do provide one important element of the puzzle, but it does not solve help to tell which institutions are authorized by a country to give out such credentials. That is something each country can only decide for itself, each differently as each country has different health systems, regulations, policing, etc… So what is needed is a way to link these countries together so that a verifying software can tell at any time if the institution that signed a credential is entitled to make such claims by its country, and a way to allow different vocabularies to evolve in a way that makes convergence possible. This requires a Web of Nations (WoN), which I wrote up here: https://co-operating.systems/2020/06/01/ Technologically we have all the pieces to build such a system. But it requires many different parties to come together to get it to work. Henry Story > On 30. Jul 2021, at 20:29, Eric Rescorla <ekr@rtfm.com> wrote: > > To recap my comments on CFRG: > There seems to be a lot of enthusiasm for this in various forums, and it's largely not well coordinated, with each group (the EU, VCI, etc.) doing their own thing, and producing work of various levels of quality. Before the IETF got involved, I'd want to see some evidence that the various players are interested in a common standard and want to do one here, lest we end up with XKCD 927. > > FWIW, I've spent a bunch of time looking at the various proposals. If people are interested they can find it at: > https://educatedguesswork.org/tags/vaccine%20passports/ > > -Ekr > > > > > On Fri, Jul 30, 2021 at 11:18 AM Harry Halpin <hhalpin@ibiblio.org> wrote: > Everyone [and apologies if you already got this message on CFRG or SECDISPATCH], > > While the research community and industry was very quick to work on privacy-enhanced contact tracing, I've seen very few people taking the much more pressing issue of COVID-19 passports. > > If this IETF111 was in person, we could have done an informal BoF, but as its' not, I'm sending out an email to gauge interest. > > I've earlier seen some very badly done academic work using W3C "Verified Credentials" and W3C Decentralized Identifier (DID) standards [1]. However, while a bunch of sketchy blockchain technology has not been adopted (so far, although I believe IATA and WHO are still being heavily lobbied in this direction), there has been the release of the EU "Green" Digital Credentials that actually uses digital signatures. > > However, there's a number of problems: > > * No revocation in case of compromise > * Privacy issues, i.e. leaking metadata > * Limited key management (booster shots might require) > * No use of standards for cross-app interoperability > > Furthermore, there appears to be differences between countries, and some countries do not use cryptography at all (the US). Therefore, as an American in France who flew home ASAP to get vaccinated in the US, as a consequence of this lack of interoperability I can't travel on trains or eat at restaurants easily, despite being vaccinated. I imagine this will become a larger problem. > > I have a report I'm willing to share, but I'd first like to know if there's any interest in standardization on this front at the IETF despite this topic being, I suspect, a bit of astretch of our remit. However, we live in interesting times. > > I don't think the W3C (or the ITU, etc.) has the security expertise, and while the crypto and security/privacy here is pretty simple, I think it should happen somewhere. > > While I originally polled it by CFRG IRTF to see if there was any interest whatsoever, Benjamin Kaduk pointed out SAAG and SECDISPATCH would be better places to start. I'd like to know what others think. > > yours, > harry > > [1] https://arxiv.org/abs/2012.00136 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [Secdispatch] Interest COVID-19 'passport' standa… Harry Halpin
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Eric Rescorla
- Re: [Secdispatch] Interest COVID-19 'passport' st… Henk Birkholz
- Re: [Secdispatch] Interest COVID-19 'passport' st… Phillip Hallam-Baker
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Henry Story
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Eric Rescorla
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Dirk-Willem van Gulik
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Dirk-Willem van Gulik
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Harry Halpin
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Dirk-Willem van Gulik
- Re: [Secdispatch] [saag] Interest COVID-19 'passp… Michael Richardson