Closed ghost closed 3 years ago
darioackermann
commented
3 years ago The only possibility I see here is that the verifying party needs to set their Location manually. IP based / GPS based is prone to falsification (GPS-Spoofing / VPN) - if it's a topic at all. Maybe it is not wise to link certificate and location data at all.
ghost
commented
3 years ago So you really want to refuse a mechanism to avoid abuse/missuse? By example a person can sell his cloned cert/phone/etc... and another travel with that and there is no way to detect this? Sorry but if you want something secure than you need to pay attentiom to such stuff. A little bit frustrating when the people who develop a system which should be secure refuse to improve security.
romanf
commented
3 years ago I think name and date of birtgh are part of the cert, right? (Where can I find eht spec of what's in it?) and the verifying party need to verify this agains an official document (passport, ID, ...). At least that's how I understand it.
(Edit: Found the specs: https://github.com/admin-ch/CovidCertificate-Examples )
darioackermann
commented
3 years ago So you really want to refuse a mechanism to avoid abuse/missuse? By example a person can sell his cloned cert/phone/etc... and another travel with that and there is no way to detect this? Sorry but if you want something secure than you need to pay attentiom to such stuff. A little bit frustrating when the people who develop a system which should be secure refuse to improve security.
I agree, but the certificate will have, as far as I know, personal details such as name and birthdate etc. When verifying a certificate, a proof of identity would be required as well, so somebody cloning/copying a certificate in whatever mean possible would also have to commit falsification(s) of document
darioackermann
commented
3 years ago I think name and date of birtgh are part of the cert, right? (Where can I find eht spec of what's in it?) and the verifying party need to verify this agains an official document (passport, ID, ...). At least that's how I understand it.
Data included in the EU Digital COVID Certificate: https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/eu-digital-covid-certificate_en#what-data-does-the-certificate-include-is-the-data-safe
How do you handle requests from a person in a short time from diffrent locations. By example: Max Muster shows his phone at the airport in Zürich, 5 minutes later there is a request from Moskau airport also from Max Muster. This should not be possibel and there needs to be a way to weed out this kind of abuse.