IETF Logo Mail Archive

Re: [Secdispatch] [saag] Interest COVID-19 'passport' standardization?

Eric Rescorla <ekr@rtfm.com> Fri, 30 July 2021 18:30 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88AB03A097B for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 11:30:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UKOXQflhQ6zG for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 11:30:35 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C23E3A09CD for <secdispatch@ietf.org>; Fri, 30 Jul 2021 11:30:28 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id f8so7096351ilr.4 for <secdispatch@ietf.org>; Fri, 30 Jul 2021 11:30:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GTHiU9lP47PQb4DtuPH4rbQdUsH712ryEJnPbbnjzyA=; b=afAClasfPyvB9koiqqZDkOB8CmiBiL+TWHSjiDGY6MDoBaSPRc2myxQGCH4YppP8v7 73NVLNN39P8UZQ+8ML5aqdy0VmLEse1oWB9CA2nbZ0aYnpRoBJsXltbOkiYKMaVDWO77 Q+hPzgMu/vNGBYnCLBInD1t5TBEOLoPuUBs6ocqWfqNG68eTybHu2qdjLXR1vF6WYbkG QLi2GRlkwfWwky+qhqhgVOVeFnYXmv1qw7KFaAWnrbDA6oAiJUMmFwgsWR16msRFJtsk 5fccRfN5IuzFf8ybW4N4aF/fDkqy0pvccwsMUCJ9I45zF8NkBZMCk379a0SyKVNZrEp0 9OfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GTHiU9lP47PQb4DtuPH4rbQdUsH712ryEJnPbbnjzyA=; b=XAsfQjgBQShVqJBKsHZ/iICYRbhCB73XiGNMJeerc6aOLr4uLEx0yqJSljtBj7bv2d Fe65cO1iY956Z/Hc+VK5MxGGXGtQSUQpztaRpewfXYjHHuHffpU02nk+S6Nr6f4Bp3Bs FMsgnRCcJZqMQ0xQ4xyZvKEjs9DI2pPWObie7CBQng3PzRa+Fom4VrcwTqKjpjFeLCZq sVhF4rZKGBjilMPO9WjDLBx1lVOxEw0bztMgqsbAXnzGOZdnMYp9btG4lfSwux1bttzt WzVWGoa01k5mCGYSYEgw+UqZh2DmSMAOD9g5aBNEQR1vfPCxgk5mDSOyZnSZDZQUjQ0j 7dug==
X-Gm-Message-State: AOAM531hNpoYYc41RLDClqtCYu9LZ9RoXDIMv5GxvQa8LgCBda9jBvPJ rRfFa9UxsWWP07qa/3svOmrPnwwjIiDlkulUCO3zHQ==
X-Google-Smtp-Source: ABdhPJzyypIDrINSfAxxoqZ3t58i4+MRpNU7eMGzpfwJwoiIW/ybRdOODJMugIOhndXr9Xq6zlAAgz685zPdm4l6P24=
X-Received: by 2002:a05:6e02:f54:: with SMTP id y20mr2045146ilj.56.1627669826137; Fri, 30 Jul 2021 11:30:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com>
In-Reply-To: <CAE1ny+4QdmSJS-spV6Do5yDs1x3iAwyHdSx=Oa+cRXU+ESZ2nA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 30 Jul 2021 11:29:49 -0700
Message-ID: <CABcZeBO56B0YwEm5dbyp1=L_TN+EemoqGt6xDCPzMDRboDZVUw@mail.gmail.com>
To: Harry Halpin <hhalpin@ibiblio.org>, IETF SecDispatch <secdispatch@ietf.org>
Cc: IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc883605c85b6973"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/ryVwuKveYBYgP3dYVHDLNhRGX7M>
Subject: Re: [Secdispatch] [saag] Interest COVID-19 'passport' standardization?
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 18:30:43 -0000

To recap my comments on CFRG:
There seems to be a lot of enthusiasm for this in various forums, and it's
largely not well coordinated, with each group (the EU, VCI, etc.) doing
their own thing, and producing work of various levels of quality. Before
the IETF got involved, I'd want to see some evidence that the various
players are interested in a common standard and want to do one here, lest
we end up with XKCD 927.

FWIW, I've spent a bunch of time looking at the various proposals. If
people are interested they can find it at:
https://educatedguesswork.org/tags/vaccine%20passports/

-Ekr




On Fri, Jul 30, 2021 at 11:18 AM Harry Halpin <hhalpin@ibiblio.org> wrote:

> Everyone [and apologies if you already got this message on CFRG or
> SECDISPATCH],
>
> While the research community and industry was very quick to work on
> privacy-enhanced contact tracing, I've seen very few people taking the much
> more pressing issue of COVID-19 passports.
>
> If this IETF111 was in person, we could have done an informal BoF, but as
> its' not, I'm sending out an email to gauge interest.
>
> I've earlier seen some very badly done academic work using W3C "Verified
> Credentials" and W3C Decentralized Identifier (DID) standards [1]. However,
> while a bunch of sketchy blockchain technology has not been adopted (so
> far, although I believe IATA and WHO are still being heavily lobbied in
> this direction), there has been the release of the EU "Green" Digital
> Credentials that actually uses digital signatures.
>
> However, there's a number of problems:
>
> * No revocation in case of compromise
> * Privacy issues, i.e. leaking metadata
> * Limited key management (booster shots might require)
> * No use of standards for cross-app interoperability
>
> Furthermore, there appears to be differences between countries, and some
> countries do not use cryptography at all (the US). Therefore, as an
> American in France who flew home ASAP to get vaccinated in the US, as a
> consequence of this lack of interoperability I can't travel on trains or
> eat at restaurants easily, despite being vaccinated. I imagine this will
> become a larger problem.
>
> I have a report I'm willing to share, but I'd first like to know if
> there's any interest in standardization on this front at the IETF despite
> this topic being, I suspect, a bit of  astretch of our remit. However, we
> live in interesting times.
>
> I don't think the W3C (or the ITU, etc.) has the security expertise, and
> while the crypto and security/privacy here is pretty simple, I think it
> should happen somewhere.
>
> While I originally polled it by CFRG IRTF to see if there was any interest
> whatsoever, Benjamin Kaduk pointed out SAAG and SECDISPATCH would be better
> places to start. I'd like to know what others think.
>
>           yours,
>              harry
>
> [1] https://arxiv.org/abs/2012.00136
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.8.7 | Report a Bug | By Email