Re: [urn] Request for a Namespace Registration for Unique (Vaccination) Certificate Identifier (Updated)
Dirk-Willem van Gulik <dirkx@webweaving.org> Wed, 11 August 2021 11:34 UTC
Return-Path: <dirkx@webweaving.org>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE003A121A for <urn@ietfa.amsl.com>; Wed, 11 Aug 2021 04:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DboWy5y2ozWy for <urn@ietfa.amsl.com>; Wed, 11 Aug 2021 04:34:03 -0700 (PDT)
Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72E9F3A1219 for <urn@ietf.org>; Wed, 11 Aug 2021 04:34:02 -0700 (PDT)
Received: from smtpclient.apple (94-210-134-94.cable.dynamic.v4.ziggo.nl [94.210.134.94]) (authenticated bits=0) by weser.webweaving.org (8.16.1/8.16.1) with ESMTPSA id 17BBWetV081656 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 11 Aug 2021 13:32:40 +0200 (CEST) (envelope-from dirkx@webweaving.org)
X-Authentication-Warning: weser.webweaving.org: Host 94-210-134-94.cable.dynamic.v4.ziggo.nl [94.210.134.94] claimed to be smtpclient.apple
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Message-Id: <B86A6A56-FE00-41FC-97BD-BDC5AB2B6F36@webweaving.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C5810C30-ECDA-43DD-A9F1-5657BB429301"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Wed, 11 Aug 2021 13:32:37 +0200
In-Reply-To: <3053F7E9-7C6A-4AAB-AC87-63DC1D6A58D7@webweaving.org>
Cc: the eHEALTH-NETWORK Secretariat <eHEALTH-NETWORK@ec.europa.eu>
To: urn@ietf.org
References: <3053F7E9-7C6A-4AAB-AC87-63DC1D6A58D7@webweaving.org>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (weser.webweaving.org [148.251.234.232]); Wed, 11 Aug 2021 13:32:41 +0200 (CEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/Cd_iKG58BZQZAmTHvmcHovaVWJ8>
Subject: Re: [urn] Request for a Namespace Registration for Unique (Vaccination) Certificate Identifier (Updated)
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2021 11:34:08 -0000
L.S., Updated registration request below; with comments and suggestions received sofar all included. With kind regards, Dw. Namespace Registration for Unique (Vaccination) Certificate Identifier Namespace ID: UVCI (requested of IANA, case insensitive) Version: 01 Date: 2021-08-11 Registrant: eHealth Network Post address: The eHealth Network, eHealth Network Secretariat p/a: Directorate-General for Health and Food Safety European Commission 1049 Bruxelles/Brussels Belgium eMail: eHEALTH-NETWORK(at)ec(dot)europa(dot)eu Requesting entity is a network of national authorities responsible for eHealth established pursuant to Article 14 of Directive 2011/24/EU and the European Commission Implementing Decision 2019/1765. It essentially consists of the representatives of Ministries of Health or equivalent national Public Health Authorities of the EU and EEA Member States. Overview: In response to the COVID-19 Pandemic the public health authorities of the EU Member States collaborated on a single-purpose, cross-border, interoperable, digital health certificate specific to COVID-19[1]. This certificate takes the form of a paper or digital document, that may also be displayed in a mobile app. In its digital version[2] it is a QR code that contains Base45 encoded, Zlib compressed, digitally signed (COSE) structured block (CBOR) of medical and citizen identifying data. An out of band trust management mechanism provides the ECC public keys for (offline) signature validation and key revocation. Regulation 2021/953[4] prohibits the storage or retention of data following verification. The exchange of Personally Identifiable Information is not necessary for the purposes of the Regulation. However in certain cases (e.g. to prevent or detect fraud) it may still be essential to exchange lists of revoked certificates. For this reason the design[2] calls for a Unique (Vaccination) Certificate Identifier (UVCI) that uniquely identifies a, specific test, vaccination or recovery certificate assertion by the issuing authority. The format chosen for this UVCI is that of a Universal Resource name or URN that follows the best current practices (BCP: 66, RFC8141). The NID selected is ‘UVCI’. The NSS[3 annex 2] consists of a version and country/issuing entity prefix followed by an opaque unique string, an opaque unique string prefixed by a regional Issuing Entity or a triplet of entity, vaccination and again an opaque unique string. This latter format never saw any use - and may be dropped from future versions of the standard. When used in print it may be followed by a ‘#’ and a LUHN based checksum. To further ease of reliable manual entry the character set is limited to A-Z and 0-9, case insensitive. Elements are separated by a slash within the main block; and a colon for the version and country. It is up to each Member State to manage this space well and ensure that the URN as a whole stays unique. Some countries have opted for a single space for the whole country; others have delegated parts of the space to nations or regions within the member state; each with their own prefix or range. Examples are: urn:uvci:01:BG:UFR5PLGKU8WDSZK7#0 urn:uvci:01:PT:SPMS/TRC01234567890123456#1 URN:UVCI:01:PL:3/655052DD53A649E897FA10AC9C175654 URN:UvCI:01:NL:2WC7BASRIALG5FBUHLNNNX3A42#: URN:UVCI:01:GB:112739138279141HSFJYRDT#R The syntax of the NSS (i.e. the string past the URN prefix and NID, ‘urn:uvci:’) is defined in [3]; and can be paraphrased as: VERSION ':' COUNTRY ':' C_NSS [ '#' LUHN ] With: VERSION version number. Currently set to the string '01'. COUNTRY Issuing entity, in general a country. The ISO3166-1 character code must be used. Other codes (3 characters, and longer, e.g. 'UNHCR' or 'WHO' are reserved for future use)) C_NSS Country specific/managed/delegated NNS LUHN OPTIONAL checksum for print. The country specific NSS, C_NSS is one of the following 3 formats: 1) ALPHANUMSTR 2) ISSUER '/' ALPHANUMSTR 3) ISSUER '/' VACCINE '/' ALPHANUMSTR With: ALPHANUMSTR A string consisting of A-Z, 0-9 (case insensitive). ISSUER An ALPHANUMSTR that denotes an issuer specific to the Country. VACCINE An ALPHANUMSTR that denotes a vaccine or similar sub grouping. None of these strings can be empty. All are case insensitive (as they may be entered from a printed document). Appendix 1 contains a ABNF of above. Exceptions and Legacy: At this time there are two known deviations. Firstly - there are two suffixes in use; the original UVCI and a newer UCI. The reason for this was that during the design and first roll-outs the pandemic evolved; and it became clear that not just vaccination certificates would be issued - but also test and recovery certificates. So some countries started to use the more generic UCI. However - UCI is already in use (RFC4179). So this newer UCI will need to be phased out; with UVCI remaining (only 1 or 2 countries appear to use this). Secondly - a few countries have issued abbreviated UVCIs; which lack the URN:UVCI prefix. An example of this is: "01/LU/2O1I84U8U12I5#UK". Rules for Lexical Equivalence: The URN should be compared case-insensitive in its entirety; from (and including the ‘URN:’ up and until, but not including the optional ‘#’ and optional checksum. The optional checksum is not part of the URN (or its comparison). It is however recommended when the URN is printed. If the context allows for it - the removal of the 'urn:uvci' from the printed (and human entered) string is allowed. And should be restored prior to digital handling, comparisons and transmission (e.g. in a QR code). Assignment: Assignment of the URNs is delegated to each of the member states; who may delegate this within their state - e.g. to a regional health authority or to a nation within their state. The Secretariat of the eHealth Network maintains a list of contacts for each State. Each Member State is responsible for managing this space well and keeping the entries overall unique (some States may have multiple ISO3166-1 entries; these, and the version number, are considered an integral part of the identifier, also for uniqueness purposes). Security and Privacy: This URN is classified as a piece of Personally Identifiable Information (it references a medical 'fact' about a person; about the traveler) and, for this reason subject to the regulation[4] and national law. Interoperability: The UVCI is a unique and persistent identifier. An UVCI, once it has been assigned, must never be reused. There are no characters in UVCI which would require percent-encoding. Persistence of the resources: The UVCI pertains to an set of (historic, mostly medical) assertions, e.g. this person had 2 shots of Vaccine X or a Test by manufacturer Y on a certain date and under the governance of a certain body[1,2]. It is NOT a persistent identifier of a persons entire vaccination record or the citizens medical record. Instead it is a unique identifier for the data contained in the record; and the link to the provenance of that data as under the governance of the issuer. These records are subject to national legislation and regulation. Persistence of the identifier: The UVCI as an identifier is persistent in the sense that once assigned, an UVCI will never be reassigned. Resolution: For URN resolution purposes, all elements up to, but not including the '#' and checksum must be taken into account. Persistence of the remote/public resolvers: At this time there are no remote or public resolvers -- the cross border continuity of care scenario referenced in below documents has not been implemented at this time. No time line (or a decision) to implement such has been taken. Documentation/References: 1: COMMISSION IMPLEMENTING DECISION (EU) 2021/1073 of 28 June 2021 laying down technical specifications and rules for the implementation of the trust framework for the EU Digital COVID Certificate established by Regulation (EU) 2021/953 of the European Parliament and of the Council, <http://data.europa.eu/eli/reg/2021/953/oj> 2: eHealth Network, Guidelines on Technical Specifications for EU Digital COVID Certificates, Volumes 1-5, <https://ec.europa.eu/health/ehealth/key_documents_en> 3: eHealth Network Guidelines on verifiable vaccination certificates - basic interoperability elements, Release 2, 2021-03-12, <https://ec.europa.eu/health/ehealth/key_documents_en> 4: Regulation (EU) 2021/953 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic, <https://eur-lex.europa.eu/eli/reg/2021/953/oj> Additional Information: See: https://ec.europa.eu/health/ehealth/key_documents_en Revision Information: 1.00 -- This registration is based on the 2021/1073 of 28 June 2021 implementing decision. (2021/07/20) 1.01 -- Add legacy/exception example (LU), several typos Fixed, URLs added (2021/07/28). 1.02 -- Fix version (of the URN, not this document), correct typo, clarify that UVCIs are for single assertions at a specific time; not tied to a state of a citizen. Appendix 1 - RFC5234 Augmented BNF of the URN This is a non-normative ABNF derived from [2,3]. The definitions for ALPHA and DIGIT are from RFC5234. The NID or NSS are conform RFC8141. URN = "URN" URN_SEP NID URN_SEP NSS NID = "UVCI"; note that an ABNF string is case _in_ sensitive. NSS = VERSION NSS_SEP COUNTRY NSS_SEP C_NSS [ CRC_SEP LUHN ] VERSION = 2*DIGIT ; only the value "01" is defined at this time. COUNTRY = 2*ALPHA [ *ALPHA ] ; only 2 char from ISO 3166-1 defined ; at this time. C_NSS = OPTION1 / OPTION2 / OPTION 3 OPTION1 = AZ09STR OPTION2 = ISSUER CNTRY_SEP AZ09STR OPTION3 = ISSUER CNTRY_SEP VACCINE CNTRY_SEP AZ09STR ; not observed ; in active use. URN_SEP = ":" NSS_SEP = ":" CNTRY_SEP = "/" CRC_SEP = "#" LUHN = 1*ALPHANUM ISSUER = AZ09STR VACCINE = AZ09STR AZ09STR = 1*AZ09 [ *AZ09 ]; non empty arbitrary len alpha numeric ; ascii string AZ09 = ALPHA / DIGIT Although commonly used software imposes a limit of around 2kByte on the length of a URI, implementers are advised to stay below the 60 characters for usability reasons (they may need to be routinely entered from a paper travel document by hand).
- [urn] Request for a Namespace Registration for Un… Dirk-Willem van Gulik
- Re: [urn] Request for a Namespace Registration fo… Hakala, Juha E
- Re: [urn] Request for a Namespace Registration fo… Dirk-Willem van Gulik
- Re: [urn] Request for a Namespace Registration fo… Peter Saint-Andre
- Re: [urn] Request for a Namespace Registration fo… Dirk-Willem van Gulik
- Re: [urn] Request for a Namespace Registration fo… Dirk-Willem van Gulik
- Re: [urn] Request for a Namespace Registration fo… Peter Saint-Andre
- Re: [urn] Request for a Namespace Registration fo… Ed Guy
- Re: [urn] Request for a Namespace Registration fo… Dirk-Willem van Gulik
- Re: [urn] Request for a Namespace Registration fo… Dirk-Willem van Gulik
- Re: [urn] Request for a Namespace Registration fo… Dirk-Willem van Gulik
- Re: [urn] Request for a Namespace Registration fo… Ted Hardie
- Re: [urn] Request for a Namespace Registration fo… Dale R. Worley
- Re: [urn] Request for a Namespace Registration fo… Dirk-Willem van Gulik