Open juanfranblanco opened 4 years ago
Note a zk proof would not work here as the validator needs to check that the phone has not been swapped (photo human proof), that the signer is the owner of the certificate (this could be a proof), but also the test centre, batch or certificate has expired.
Certificate data is attached to an account, meaning that if the same company creating the front end application to validate the data might "call home" and start storing the data.
A simple solution for this would be at the time of challenge the validator application can sign the challenge to enable the user check if is the right application with the right permission.
The permission will be only the following:
No storage, sharing, computing or transmission of public certificates and related data under any circumstances apart from the internal validation of the certificate as per program.
Ethereum computation will be only using a node which won't log, trace or store the location and query calls for verification.
In the case of entering a building / organisation etc, current entry logs will remain in place.