Adapt CovPass(Check) and the issuance portal to new COVID-19-Schutzmaßnahmen-Ausnahmenverordnung

[Ein-Tim]

• [X] None of the other issue templates apply to this issue.

This is an informational issue.

This issue affects iOS, Android & the issuance portal.

---

Verordnung zur Änderung der COVID-19-Schutzmaßnahmen-Ausnahmenverordnung und der Coronavirus-Einreiseverordnung from 14. January 2022 made changes to the Verordnung zur Regelung von Erleichterungen und Ausnahmen von Schutzmaßnahmen zur Verhinderung der Verbreitung von COVID-19 (COVID-19-Schutzmaßnahmen-Ausnahmenverordnung - SchAusnahmV). The changes came into effect on 15.01.2022.

The changes can be found in an easy & understandable way here: https://www.bundesgesundheitsministerium.de/service/gesetze-und-verordnungen/vo-aend-covid-19-schausnahmv-und-coronavirus-einreisev.

I don't feel qualified enough to make statements about what this means for CovPass, CovPassCheck and the issuance portal (e.g. if this means that one shot after J&J is no longer a booster), but what's sure is that the recovery status will only last for 3 months now, see also https://www.welt.de/vermischtes/article236274326/Corona-RKI-verkuerzt-Genesenenstatus-auf-drei-Monate.html.

[timokoenig]

There might be some displaying adjustments needed for CovPass but not for CovPassCheck. Both apps would need to have an updated EU ruleset for the new requirements. I do not think there are adjustments needed for the issuance portal but I can not confirm that

[timokoenig]

I think the most important thing to update is the ruleset because this does not reflect the real world anymore

[Ein-Tim]

@timokoenig

I do not think there are adjustments needed for the issuance portal but I can not confirm that

I do think so, as in recovery certificates the value "Gültig bis:" is hardcoded and at the moment always 6 months, but it should be 3.

[timokoenig]

I would rather vote to remove that field because it is not being used in any of the validation rules. The validation system will dynamically calculate the valid until date based on the first positive test result. Currently this date is only being shown in CovPass and because every country has their own recovery rules this field is obsolete. @molk-ibm this might be something to discuss with the other EU countries.

With a static date in the certificate we run into several problems. For example what happens now with all old certificates that have the six month in it?

[Ein-Tim]

@timokoenig

See also https://github.com/corona-warn-app/cwa-documentation/issues/807#issuecomment-1013931145 from @MikeMcC399, who raises the same valid point as you: What about the old certificates?

[timokoenig]

That's good 👍

In my opinion we can ignore that field like we do it already in CovPass. The valid until date can be calculated dynamically and then displayed. No big change in case of the business rules (except the rules itself) because they do not use the field for any checks

[Ein-Tim]

@molk-ibm Is there an ETA for updated rules for CovPassCheck, which rejects recovery certificates older than 3 months?

[alexcimander]

Hey everyone!

Within the CovPass the field "gültig bis" only serves as information about the vadility regarding the EU Rules. The certificate still can be stored after it "expired" from a EU Rules point of view. However if it is technically expired (normally 365 days) it will be greyed out.

Problem with the new rule is that we cannot override certificate values without invalidating them (signature will be broken). This is why the only possibility is to adjust the business rules (for CovPassCheck and CovPass check vadility feature).

Within the CovPass we simply could remove the info or we could adjust it by calculating a new date based on the one stored on the cert.

[Ein-Tim]

@alexcimander

I definitely recommend you at some hint to CovPass, so that users know why their certificates are rejected.

[timokoenig]

@alexcimander the field I was talking about is not the date for the technical expiration. Please let us don't mix this up here.

Problem with the new rule is that we cannot override certificate values without invalidating them (signature will be broken). 

There is no problem because those fields are not being used therefore no need to override them

[MikeMcC399]

If other countries participating in the EU Digital COVID Certificate travel scheme allow Certificates of Recovery to be used to travel to that destination country, which is not Germany, using the 180-day-rule, will new Certificates of Recovery issued in Germany still set the r/du: Certificate valid until as 180 days after r/fr: Date of the holder’s first positive NAAT test result? If not, then residents of Germany could be put at a disadvantage for travel in Europe. (See https://ec.europa.eu/health/publications/json-schema-eu-digital-covid-certificates_en for field definitions.)

It seems that the certificates should not be changed, and any change in the German regulations should only be implemented through new business rules applied only in Germany.

[BengtHagemeister]

The new regulation also changes the amount of shots needed for Johnson & Johnson Vaccines.

Here is the publication in "Bundesanzeiger": https://www.bundesanzeiger.de/pub/publication/yW2hBRkcEPpvCQIb8IT/content/yW2hBRkcEPpvCQIb8IT/BAnz%20AT%2014.01.2022%20V1.pdf?inline.

It is specified that the publication of the Paul-Ehrlich-Institut has to be followed (see also https://www.gesetze-im-internet.de/schausnahmv/BJNR612800021.html -> §2 3a).

For Johnson & Johnson it is specified that your only fully vaccinated when you have 2 shots (https://www.pei.de/DE/newsroom/dossier/coronavirus/coronavirus-inhalt.html?nn=169730&cms_pos=3).

At the moment the app still accepts single shots.

[Ein-Tim]

It gets more complex: https://www.mdr.de/nachrichten/sachsen/corona-genesen-nachweis-ablauf-doppelt-geimpft-100.html:

"Die Ablauffrist von drei Monaten gilt nur für ungeimpfte Personen", stellte das RKI auf Nachfrage von MDR SACHSEN klar. "Das liegt daran, dass doppelt geimpfte und genesene Personen einen besseren Immunschutz haben als ungeimpfte Genesene." Trotzdem empfehle die Ständige Impfkommision (STIKO) auch geimpften Genesenen die Booster-Impfung nach drei Monaten.

I think this is not what is written on https://www.rki.de/DE/Content/InfAZ/N/Neuartiges_Coronavirus/Genesenennachweis.html, or am I wrong?

[timokoenig]

Any news when the business rules will be updated? CovPassCheck still uses the old rules regarding the recovery period. (This is not coupled to the app update)

[alexcimander]

Hey everyone,

the rules are currently in preparation. We are expecting changes within this week. No release of a new app-version will be required since the rules will be updated independent of the releases. However the field "gültig bis" has been changed to "höchstens gültig bis". FAQs will be setup to clarify the current situation.

Thank you everyone for participating 👍

[Dale81]

@alexcimander Great News! Will this also include a rule for J&J 1-dose vaccinations to identify them as not valid? Or is the update for the rules only for r-certificates?

[Ein-Tim]

@alexcimander

Could you let us know when the new rules are live, please?

[Ein-Tim]

@alexcimander

It seems like something stopped the change you talked about in https://github.com/Digitaler-Impfnachweis/covpass-ios/issues/97#issuecomment-1032259634, or? I don't see any change done to https://github.com/Digitaler-Impfnachweis/certification-apis/blob/master/templates/RecoveryCertificateTemplate_v4.1.svg.

[Ein-Tim]

@molk

I guess CovPassCheck will continue to show 1/1 J&J certificates as valid, or? See https://github.com/corona-warn-app/cwa-app-ccl/pull/14#issuecomment-1039051910.

[Ein-Tim]

@alexcimander

Do you have any update for us? These changes are urgent and have to be done soon.

[oliver-steinbrecher]

Domestic business rules haven't been updated so far . The process is running.

[Ein-Tim]

@oliver-steinbrecher Can you say something in regards to https://github.com/Digitaler-Impfnachweis/covpass-ios/issues/97#issuecomment-1039285346?

[molk-ibm]

as @oliver-steinbrecher said: the business rules have not been updated, yet.

[Ein-Tim]

Yeah I know, but the question was whether 1/1 will continue to stay valid even after the update or not (-:

[oliver-steinbrecher]

The upcoming release is going to differ between domestic and German European rules. So J&J 1/1 and it’s validity is depending on the context

[Ein-Tim]

@timokoenig

What would you say from the rules on your site? I don't see any invalidation rule for a 1/1 J&J certificate for the domestic rules, or am I mistaken?

[timokoenig]

@Ein-Tim the domestic rules for CovPass still consider 1/1 J&J as full immunization

[BengtHagemeister]

I think there are still some things that need to be changed by the legislator before this can be officially implemented.

https://www.fr.de/panorama/impfstatus-bleibt-vollstaendig-eine-dosis-johnson-johnson-reicht-jetzt-doch-gericht-entscheidet-zr-91359752.html

https://www.rnd.de/gesundheit/johnson-und-johnson-eine-dosis-reicht-fuer-vollstaendigen-impfstatus-gericht-hat-entschieden-F7CSUPQI6IX2J6E3EOE4HP5PAU.html

[timokoenig]

Thanks for the links 👍🏼

In beiden Fällen steht das Hauptsacheverfahren noch aus.

IMO until no final verdict is given, I would consider the official rules provided by RKI as single source of truth.

[Ein-Tim]

@BengtHagemeister

Yes thanks for bringing this up I guess it is necessary that the stakeholders give general advice what to do in the case a ruling is considered invalid by a court.

Because in both cases you mention this only applies to this one case but not for everyone.

@timokoenig Thanks!

cc @molk-ibm

[molk-ibm]

@Ein-Tim the domestic rules for CovPass still consider 1/1 J&J as full immunization

for the record: any app evaluating those rules will consider this (in other words: the CWA ;)

[Ein-Tim]

So, for the record: The entry rules for Germany have been updated to reflect that the recovery status is only valid for 90 days, see https://distribution.dcc-rules.de/rules/DE/71b10c1d78bcdd9e0f27afb6368a4a086d6d558616a1cd890765f6b1178d3325. However, it seems like the domestic rules were not updated.

So, still, leaving this issue open.

EDIT: Domestic rules are also updated now.

[Ein-Tim]

Update: 1/1 J&J certificate continues to be shown as valid in CovPassCheck.

Is this really intended? You always have to keep in mind: Venue owners can't use CovPassCheck because of this!

[Dale81]

Update: 1/1 J&J certificate continues to be shown as valid in CovPassCheck.

Is this really intended? You always have to keep in mind: Venue owners can't use CovPassCheck because of this!

I guess it is still a "don't show to much personal information" approach. The best way would still be to get a result like:

"2G only valid in combination with proof of recovery"

But to evaluate this, you again need more info. PCR or Antibody Test date needs to be before the vaccination date. So to really evaluate this, you would need an input field where someone can input the test date and let the CovPassCheck App check against the (not visible) vaccination date.

And if the person does not have a test result, then you can assume its 1/1 J&J and not 2G.

[Ein-Tim]

@alexcimander & @oliver-steinbrecher I urge you to better communicate how long recovery certificates are valid in the CovPass app. There are multiple bad reviews on the app store complaining that the CovPass app shows their certificate as valid but CovPassCheck rejects it.

[timokoenig]

I agree with @Ein-Tim. There are multiple options to improve this:

• show rule changes to the user in the app https://github.com/Digitaler-Impfnachweis/covpass-ios/issues/98
• display the rules to the user so that they can have a look themselves. You can find an example on https://covidvalidator.app with a click on the header or in the options panel. The user can always see what rules are currently being checked
• one really good idea is not to show the certificate as valid (most of the problems occur with the recovery certificate 90 or 180 days ) and because there are two possible cases you could add a little flag to the card like you did in CovPassCheck that indicates that this certificate is NOT valid in Germany
• publish press releases that show the current state of CovPassCheck

[Ein-Tim]

You can also do it like the CWA and remove the field which states how long the certificate is valid: https://github.com/corona-warn-app/cwa-documentation/issues/807#issuecomment-1066153800

[timokoenig]

I'm not sure if this would solve the issue. People would still think that the recovery certificate is valid for 180 days but the CheckApp only accepts certificates with 90 days

[Ein-Tim]

It is better than nothing but I agree with you @timokoenig

[Ein-Tim]

The problem that the validity of recovery certificates is not very well communicated should be handled in a new issue. Closing this one now.