IETF Logo Mail Archive

Re: [Secdispatch] Interest COVID-19 'passport' standardization?

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 30 July 2021 18:51 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 551693A0A62 for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 11:51:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQIHvOpdXePN for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 11:51:07 -0700 (PDT)
Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87DD13A0A41 for <secdispatch@ietf.org>; Fri, 30 Jul 2021 11:51:07 -0700 (PDT)
Received: by mail-yb1-f171.google.com with SMTP id g76so17602606ybf.4 for <secdispatch@ietf.org>; Fri, 30 Jul 2021 11:51:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lwQskSOSc3QMd71kK9p92jMqKbBO/xpsP/O7vUfQsAA=; b=deR3puVhM1vVvqCVJxXONVbhowAovTZOl44spIHkB3aRd/4x1E1Xy5FaGGlixFuC00 SG6VYCN06GiKvOzDmxEZwc74S9UzUZfFYoUy8/NmcS6xGZqfrdeOfYtXeFHHD0ZhCZMH XW+w7dHfpPh4CUqI16HvD17GYawpmJk/dSgmtqEfPyGltlsuCbn+FyfiOM8sY5PU6PNo 4PGL9/5E6LXBk3SU7F/VSyFLBMqBH1alb0wxknaqJouNxfpQ5kGQnJwu+b1kWXlT5xVF 5+oDJFD3TVQI53IEqLzXSAnTw/IIa6+6t8LtkWu7Pn5q/EgELPKA1Qk4PK5QWOc4Jcjs bMBw==
X-Gm-Message-State: AOAM532ElfPtCLvNVPdWD4GOpKUNNVR1hSSLp9s/TyrKoTx7lAjdu3kR PnXyWJOf/Z1T+Oo5hT6ZifkofhgSwIh2dRKvtxA=
X-Google-Smtp-Source: ABdhPJxMpUaDaVympA0J0/FRr65qFj7SnTtlwLAfk8YsoZS91ZsQsavLNp4+0I7nhsZocCj2Nih28m0O1M7hg/KzvtY=
X-Received: by 2002:a25:e60a:: with SMTP id d10mr4782969ybh.56.1627671066396; Fri, 30 Jul 2021 11:51:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAE1ny+7VgchUXtq_BFT7kQjN+Gd2hVQTa=LWe3R11gkbHq-j7w@mail.gmail.com>
In-Reply-To: <CAE1ny+7VgchUXtq_BFT7kQjN+Gd2hVQTa=LWe3R11gkbHq-j7w@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 30 Jul 2021 14:50:55 -0400
Message-ID: <CAMm+Lwjc6A4KbHZ_CRs1icy0UhmwgQgnF+YGzLrKQ9J5LbGghw@mail.gmail.com>
To: Harry Halpin <hhalpin@ibiblio.org>
Cc: IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b94a5005c85bb324"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/VOoSD048S0M-snrrKVt21WREBMQ>
Subject: Re: [Secdispatch] Interest COVID-19 'passport' standardization?
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 18:51:12 -0000

While I would be interested in working on this, I don't see a role for the
IETF unless the government bodies come to IETF asking for the spec. Get the
stakeholders round the table before we start talking or it is pointless.

The problem here of course is that the governments/airlines etc. don't
typically have people with the direct experience of designing this sort of
infrastructure. So the most likely outcome is some sort of committee
process where almost nobody in the room has the confidence to do the job
from scratch and so they start with 'lets build from an existing system it
will be quicker' and end up in the mud.


Looking at the paper, it does not mention SAML which is actually the only
cryptographic assertion format that was expressly designed for this type of
use case. The OASIS TC had a much more narrow scope but the original work I
did on TAXI (Trust Assertion XML Infrastructure) is the work that was
adopted to become the A in SAML.

If I was going to revisit that area, I would definitely start from the SAML
semantics. People could recast them in JSON or even CBOR if they really
wanted but it would be rather pointless.

I would certainly avoid PKIX because the TAXI work was begin to address
major shortcomings in the semantics of X.509v3 attribute assertions that we
had discovered trying to apply them to this type of application.

I would also be less interested in OATH, OAUTH, OpenID, etc because they
are all designed as Web authentication/authorization schemes and 80% of the
specs are working around the constraints of that environment, none of which
are relevant to this application. You might as well start with DNSSEC as a
starting point.


The Mesh has a scheme in which a URL which can be presented as a QR code
contains both a locator and a decryption key which can be used to
retrieve a static encrypted blob from a Web server and decrypt and
authenticate it:

Mathematical Mesh 3.0 Part II: Uniform Data Fingerprint. (ietf.org)
<https://www.ietf.org/archive/id/draft-hallambaker-mesh-udf-12.html>

The intended field of application was to make it easy to transfer from
paper driven processes to digital (and back if needed). There are many
bureaucratic processes that are paper driven. So digital forms end up being
printed out on paper. The EARL scheme allows the paper to have a QR code
from which the digital version of the data can be recovered.

So electricity company sends me a bill on paper, I scan the QR code, it
goes to my payments app.

The data on the Web server is inaccessible to any party unless they have
the QR code. So this makes a paper document (e.g. patient record) a bearer
token for access to the plaintext.


The way I would apply this to COVID passports is that I would print out a
QR code on a sticker and stick it on the back of the passport. So airline
etc. can scan the sticker and get the vaccination status. This can then be
correlated to the data obtained from the passport scan.

To source the data, I would have each clinic issue signed SAML assertions
under a signing key validated by a PKIX credential. I would not use PKIX
for the vaccination assertions, the semantics don't match. But I would take
advantage of the fact that DigiCert, Sectigo, etc. already have all the
CA/LRA etc infrastructure deployed and could spin up private CAs for this
in a matter of days.

If audit transparency was required, I would not go to Blockchain, I would
go to Certificate Transparency. But that is very much a secondary issue.





On Fri, Jul 30, 2021 at 2:19 PM Harry Halpin <hhalpin@ibiblio.org> wrote:

> Everyone [and apologies if you already got this message on CFRG or SAAG],
>
> While the research community and industry was very quick to work on
> privacy-enhanced contact tracing, I've seen very few people taking the much
> more pressing issue of COVID-19 passports.
>
> If this IETF111 was in person, we could have done an informal BoF, but as
> its' not, I'm sending out an email to gauge interest.
>
> I've earlier seen some very badly done academic work using W3C "Verified
> Credentials" and W3C Decentralized Identifier (DID) standards [1]. However,
> while a bunch of sketchy blockchain technology has not been adopted (so
> far, although I believe IATA and WHO are still being heavily lobbied in
> this direction), there has been the release of the EU "Green" Digital
> Credentials that actually uses digital signatures.
>
> However, there's a number of problems:
>
> * No revocation in case of compromise
> * Privacy issues, i.e. leaking metadata
> * Limited key management (booster shots might require)
> * No use of standards for cross-app interoperability
>
> Furthermore, there appears to be differences between countries, and some
> countries do not use cryptography at all (the US). Therefore, as an
> American in France who flew home ASAP to get vaccinated in the US, as a
> consequence of this lack of interoperability I can't travel on trains or
> eat at restaurants easily, despite being vaccinated. I imagine this will
> become a larger problem.
>
> I have a report I'm willing to share, but I'd first like to know if
> there's any interest in standardization on this front at the IETF despite
> this topic being, I suspect, a bit of  astretch of our remit. However, we
> live in interesting times.
>
> I don't think the W3C (or the ITU, etc.) has the security expertise, and
> while the crypto and security/privacy here is pretty simple, I think it
> should happen somewhere.
>
> While I originally polled it by CFRG IRTF to see if there was any interest
> whatsoever, Benjamin Kaduk pointed out SAAG and SECDISPATCH would be better
> places to start. I'd like to know what others think.
>
>           yours,
>              harry
>
> [1] https://arxiv.org/abs/2012.00136
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.23.0 | Report a Bug | By Email