by gozmike on 6/1/21, 2:14 PM with 41 comments
by rocqua on 6/1/21, 2:42 PM
It's a pretty decent technical spec for signing statements like "This person has this age" or "this person is vaccinated" or "this person is authorized for this bank-account as executor of a will". It is a spec written by cryptographers and hackers.
At the same time, it is a spec being used by banks, governments, and health-care. That is, its not just a nice technical ivory tower idea, it is actually liked by people who would use it. Why do these organizations want to use this? Because, without cryptographic guarantees, your business processes involve a whole lot of bureaucracy, manual checking of data, implicit trust relations, and friction (so much friction).
That friction is part of why people would actually want to use it. Essentially, all you need to do to share required data is scan some QR codes. Another, maybe more important part, is control over your data. You determine who you show your VC. It is not needed for two organizations to have access to all of their shared data they need. They give the used the data, and the user hands it over, or he doesn't.
The general concept behind all of this is sometimes called SSI (Self Sovereign Identity).
by jefft255 on 6/1/21, 2:26 PM
by motohagiography on 6/1/21, 3:15 PM
The ethics and legality of vaccine passports are still very controversial, and using Quebec as a test ground for it seems like its part of an inevitable push, independent of popular assent to it. It's force, basically.
Using a JWT is sufficient for the purposes, and the vaccination status is basically a digital ID. This provides some mature and flexible structure to the token format, as opposed to say, a blockchain based one. The scanning app with the URI endpoints is going to be the interesting piece.
Having worked in the design of related concept, the main failure modes here are a compromise of the signing key which is probably in an azure HSM instance, or cached somewhere as just a k8s secret, mobile malware that steals or corrupts tokens, and then infrastructure ddos against that API endpoint during a holiday airline rush. There's also the question of how the code verification app works, as that's where the real vulnerabilites would be.
Given the amount of co-ordination required for a scheme like this to work, it is difficult to believe this is not being done in secret, and if so, why?
by gregsadetsky on 6/1/21, 3:44 PM
https://gist.github.com/remi/e3aa2f78845ee13f706ed83aead5145...
There's also an online version (that works on mobiles and desktops) and decodes everything on the client side:
by JoshMandel on 6/1/21, 7:14 PM
The SMART Health Cards Framework is designed to dovetail with SMART on FHIR APIs for consumer access (which all Electronic Health Record vendors in the US are on the hook to support over the next year).
by bjt2n3904 on 6/1/21, 3:34 PM