IETF Logo Mail Archive

Re: [Secdispatch] [saag] Interest COVID-19 'passport' standardization?

Harry Halpin <hhalpin@ibiblio.org> Fri, 30 July 2021 22:09 UTC

Return-Path: <hhalpin@ibiblio.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 338E73A1326 for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 15:09:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibiblio-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgqW4LXD5wsW for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 15:09:25 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF2C03A1320 for <secdispatch@ietf.org>; Fri, 30 Jul 2021 15:09:24 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id cf5so3629779edb.2 for <secdispatch@ietf.org>; Fri, 30 Jul 2021 15:09:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibiblio-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HrIh+RcS2eTIh6l4IrDym/kQzORY5J7tvcL0WCGmmxI=; b=p1igT820tEQEshXxLEVgOERSJDpKNAoexJXjP+7FB0sN8YQN2qtgfxV4Jbh6HVdU4f fH5eOoVJUe1V3xRPpVzDjeVQNzLAB0QFobMtoOeq4DYEdcumyy9jCTrGBxBVrm2JRhGi W9fWcWr6e5YFQ9fYaq0Y4Or4KElR0uy5htEbLubAGvQtnyJW5j3GW62xgOhsKROfNpcr gpuqIee+W3dCpXKBlKVytH027u1EeXcL5qvVGm7vRIRO8jr2CPj/GbI0u4dLfnQEdMhA VaDw5vc1zv90zZ8iPWJvTBgYr7hVFEcaOBYHsZUGN90YkXfXzNWX1SRD4uMCpg+DZDBx 16+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HrIh+RcS2eTIh6l4IrDym/kQzORY5J7tvcL0WCGmmxI=; b=H1OmoIG+Ax6n/5sT/F4K+hngYE1NuFkZersyW8czfx24ddtshx0lluB3TUAfMTi3in URLXq9kXGEOBhBTc/cy5+ZDWfoCBklLDmGBey6Ag8qGvt/KanQQfcJDTgksiG383/o5L hx2tv19F/W/qGzIH0cc3AFGzhv6Ri11KvWNVajyp21RQEdhkySAZbyd1neBS1fy6qjFF D284pfWHWot4q3b3KzPvmthbPcjH50xJxzgQK7wSF6sTw1MvuZQSP3XSABxFQfFLeS/y QppbGRrLiutww25v/tXdxNbPvDkSs+gqQD6PDgoZbDa2ZpuW84lWJW6qwAYZgWa+nLUX O99Q==
X-Gm-Message-State: AOAM530deSJLmebSdhr87s1u1gbNXJzO642FPE++yzWqWCDj/LkUdD3b a2UPXJ2C6ttsslLw14lOY/RU00Nb9iSBaHGgMY6ctw==
X-Google-Smtp-Source: ABdhPJy3pTmS/u9QLGy/ENKYag0PJArs/KGaCoEjDOqOJNWNz96aMagxVekR00d1WIKBEf6jtvmU4Jc7IFJPF7L8YHc=
X-Received: by 2002:aa7:c857:: with SMTP id g23mr5682970edt.100.1627682962541; Fri, 30 Jul 2021 15:09:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com> <CABcZeBO56B0YwEm5dbyp1=L_TN+EemoqGt6xDCPzMDRboDZVUw@mail.gmail.com> <7F5A47B0-4E26-4C51-AA21-6A6038A80A95@gmail.com> <CABcZeBNsjFaG9HZJ+0f3Czyikt3zpDkguveBh5id2rCHNNeAZg@mail.gmail.com> <66D90DC4-9BCF-4279-868E-61D5731EC2A4@webweaving.org>
In-Reply-To: <66D90DC4-9BCF-4279-868E-61D5731EC2A4@webweaving.org>
From: Harry Halpin <hhalpin@ibiblio.org>
Date: Sat, 31 Jul 2021 00:09:11 +0200
Message-ID: <CAE1ny+7AUUrV-yTFt_9Wp-M80yQZXWSgXGBf0TU2ddif92rgBw@mail.gmail.com>
To: Dirk-Willem van Gulik <dirkx@webweaving.org>
Cc: Eric Rescorla <ekr@rtfm.com>, IETF SecDispatch <secdispatch@ietf.org>, Henry Story <henry.story@gmail.com>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ca1e1d05c85e7811"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/mn_zrrJq1N8B353S_IPlZ-vU9a8>
Subject: Re: [Secdispatch] [saag] Interest COVID-19 'passport' standardization?
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 22:09:30 -0000

Everyone,

Good to see this conversation, and the contributions from Dirk have been
exceptionally relevant. In particular, I would put out of scope requiring
any verifier to be online and I would also put out of scope data formats
with limited real-world uptake, like W3C RDF and Verified Credentials. I
would focus on widely deployed standards, such as JOSE/COSE and TLS. In
this regard, the EU DGC has done well. I'd like to see international
comparison though, as I can imagine many other "proposals" or even working
systems are not using modern cryptography. I suspect there is definitely a
need for a privacy analysis that is more thorough than DGC has done
(surprised to see linkable signatures, centralized databases, and so on and
so forth) when we know how to build better and more in the EU
GDPR-compliant standards - although I suspect COVID-19 falls under a
national security derogation and so GDPR does not apply.

Not sure how many people are actually interested in chartering something
and the scope, but I'd be happy to host a meeting if someone is attending
IETF 111.

Although it may be rather late for some, I will be hosting a "side meeting"
virtually at the IETF 111 meeting today right after the CFRG IRTF meeting
ends. See the wiki for the link:
https://trac.ietf.org/trac/ietf/meeting/wiki/111sidemeetings

  yours,
    harry


On Fri, Jul 30, 2021 at 11:39 PM Dirk-Willem van Gulik <dirkx@webweaving.org>
wrote:

> On 30 Jul 2021, at 23:23, Eric Rescorla <ekr@rtfm.com> wrote:
>
> On Fri, Jul 30, 2021 at 2:19 PM Henry Story <henry.story@gmail.com> wrote:
>
>> The knowledge about the virus and the responses to it are evolving
>> very quickly, and so the flexibility of W3C Verifiable Credentials
>> comes in very handy here, as it is built on semantic web standards
>> built on top of first order logic, hypergraphs, and designed for
>> decentralisation, and evolvability.
>>
>
> I don't really agree with this claim. Some of the proposals here use
> VC and some do not, but they all seem roughly equally capable and
> flexible to me.
>
>
> From an implementor/designing perspective (both the NL domestic version
> -and- the EU DCC version)  — and although we tried very very hard - the
> absolute need for totally off-line use & preventing surveillance*, also, or
> especially by the issuing entities  (or blind trust in) combined with the
> inflexible state of the available semi-usable VC implementations and the
> very strong desire to have nothing ‘central’ and no ‘central trust’ - had
> us gradually evolve to something not quite VC. Despite this being the
> stated goal.
>
> So I think we have some useful lessons learned w.r.t. the importance of
> off-line / totally local validation.
>
> Dw
>
> *:  e.g. spiked certificates with something unlikely to be cached or
> requiring a very unique lookup/OCSP, etc.
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.23.0 | Report a Bug | By Email