IETF Logo Mail Archive

[Secdispatch] Interest COVID-19 'passport' standardization?

Harry Halpin <hhalpin@ibiblio.org> Fri, 30 July 2021 18:18 UTC

Return-Path: <hhalpin@ibiblio.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467473A093B for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 11:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibiblio-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JyavZ380Qv_M for <secdispatch@ietfa.amsl.com>; Fri, 30 Jul 2021 11:18:51 -0700 (PDT)
Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 139973A093A for <secdispatch@ietf.org>; Fri, 30 Jul 2021 11:18:50 -0700 (PDT)
Received: by mail-ej1-x644.google.com with SMTP id gn26so18371044ejc.3 for <secdispatch@ietf.org>; Fri, 30 Jul 2021 11:18:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibiblio-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=2Ya0gzYC9qqCEDJE5zDAgNWT4MB5z8uOxpRBHuT9MjY=; b=cdr9tIScvCW7gwv/Nnvf/RGtq8LTujdVZ2Z/kG5YK4ohkaZyWKfIegBSxaCHJhbwdO BFPkMMF/VDyX7VogDUwuPIHv8iZ0hzJdcr05nX+6J9+FwSDuEj9TNuqxEc9YK/EruEVP MUxZ2QvCB94/qernT+MnGFkAtRa7npUO7+o86Z0sdq6W6ft0+eNd1jzxU40DNaQn6luJ M3gqe0GBTxc+eso/qdnb50tkCF60zl6lwFR0nFZ5ZACR6NLicgVhDM/rh9sVpogiyLDk MAdp5EWYbVpgmLTXvla7SW6XEl+ai2rliKH7NiTtelE74Z1upGvyvXgv5r+Uth2feDPs RRWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2Ya0gzYC9qqCEDJE5zDAgNWT4MB5z8uOxpRBHuT9MjY=; b=fVdVRMCVj1nmQK6Fq/VOl1G0qwXmHWYltfTM33V6jxAEH/+938r5c2ok/zYSK6/2tb UxBVLt+rDl3jPActcoPpUKxCgxrWftM2NuXaVwN6iIgKR9Nt5NprHCri/CPpvycPH+Tf B58wDPI4QcYXPFFj2ZP3VAMdcJyUH34zM6OzD2Exh2TExNAMppnPaZUp6ma65PplV4qm eAU8i+1mkCzLdJ7lQ/NmiayBfnNL+DWZb3wie+NY3YTGOLWgfBH9WwVwWdrAqoq3nVNT 9kWTvDsVoxlZ0Wdns57lVyfjEN59ZNOltyiIFmjchrsS8iEDfdvD0w2FpV5o94R7fvsB iVtQ==
X-Gm-Message-State: AOAM533HW4fIxCnPs0YYlJEcI0XwSZsyusclvui1K7uEt4wvjBnkWm6F Svmw6MqrmsHNxGjAI1W0vcmFJfKYq516ZL3SDwh0yCO97d0RivP2jpg=
X-Google-Smtp-Source: ABdhPJyadwfgkqfOmc+tGOL38j37ABmqGhcQsqajFAjMom8q//c6t8c1N7OPUxlpMnh3iPBGRaOSMoCIInzpxN3UlVI=
X-Received: by 2002:a17:906:4b56:: with SMTP id j22mr3905689ejv.551.1627669127359; Fri, 30 Jul 2021 11:18:47 -0700 (PDT)
MIME-Version: 1.0
From: Harry Halpin <hhalpin@ibiblio.org>
Date: Fri, 30 Jul 2021 20:18:36 +0200
Message-ID: <CAE1ny+7VgchUXtq_BFT7kQjN+Gd2hVQTa=LWe3R11gkbHq-j7w@mail.gmail.com>
To: secdispatch@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002606d805c85b402f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/sZMR7q8YOpSU0_ouE0sA8JWMLdI>
Subject: [Secdispatch] Interest COVID-19 'passport' standardization?
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 18:18:55 -0000

Everyone [and apologies if you already got this message on CFRG or SAAG],

While the research community and industry was very quick to work on
privacy-enhanced contact tracing, I've seen very few people taking the much
more pressing issue of COVID-19 passports.

If this IETF111 was in person, we could have done an informal BoF, but as
its' not, I'm sending out an email to gauge interest.

I've earlier seen some very badly done academic work using W3C "Verified
Credentials" and W3C Decentralized Identifier (DID) standards [1]. However,
while a bunch of sketchy blockchain technology has not been adopted (so
far, although I believe IATA and WHO are still being heavily lobbied in
this direction), there has been the release of the EU "Green" Digital
Credentials that actually uses digital signatures.

However, there's a number of problems:

* No revocation in case of compromise
* Privacy issues, i.e. leaking metadata
* Limited key management (booster shots might require)
* No use of standards for cross-app interoperability

Furthermore, there appears to be differences between countries, and some
countries do not use cryptography at all (the US). Therefore, as an
American in France who flew home ASAP to get vaccinated in the US, as a
consequence of this lack of interoperability I can't travel on trains or
eat at restaurants easily, despite being vaccinated. I imagine this will
become a larger problem.

I have a report I'm willing to share, but I'd first like to know if there's
any interest in standardization on this front at the IETF despite this
topic being, I suspect, a bit of  astretch of our remit. However, we live
in interesting times.

I don't think the W3C (or the ITU, etc.) has the security expertise, and
while the crypto and security/privacy here is pretty simple, I think it
should happen somewhere.

While I originally polled it by CFRG IRTF to see if there was any interest
whatsoever, Benjamin Kaduk pointed out SAAG and SECDISPATCH would be better
places to start. I'd like to know what others think.

          yours,
             harry

[1] https://arxiv.org/abs/2012.00136

v2.8.7 | Report a Bug | By Email