Documentation for DCC checks when booking tickets missing

corona-warn-app / cwa-documentation

Project overview, general documentation, and white papers. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:

https://coronawarn.app/en/faq/#ramp_down

Apache License 2.0

3.28k stars 344 forks source link

Documentation for DCC checks when booking tickets missing #782

Closed Ein-Tim closed 2 years ago

Ein-Tim commented 2 years ago

Where to find the issue

https://github.com/corona-warn-app/cwa-documentation

Describe the issue

E.g. https://github.com/corona-warn-app/cwa-documentation/blob/master/images/solution_architecture/high_level_architecture.svg does not mention the DCC checks when booking tickets.

Suggested change

Update the documentation so that interested users can take a look at how exactly the DCC ticketing is implemented in the CWA, which connections are made, etc.

Ping

@tklingbeil

Internal Tracking ID: EXPOSUREAPP-11229

dsarkar commented 2 years ago

Hi @Ein-Tim!

some information can be found here: https://www.coronawarn.app/de/faq/#val_service_basics https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-certificate_traveller-onlinebooking_en.pdf (Chapter 3) https://github.com/eu-digital-green-certificates/dgca-validation-service

Wish you a Merry Christmas!

Ein-Tim commented 2 years ago

Hey @dsarkar

Thanks for the links! I will read through them later on! Still I think the CWA documentation should be updated to include some infos how exactly this is implemented, like https://github.com/corona-warn-app/cwa-documentation/blob/master/images/solution_architecture/high_level_architecture.svg was also updated to show the connection to the DCC issuing server.

Ein-Tim commented 2 years ago

To you and the whole CWA team I wish merry Christmas, thanks for all of your work since more than a year now! ❤️ Enjoy the holidays!

alanrick commented 2 years ago

Thanks @Ein-Tim for creating the issue. It had generated discussion and suspicions in the Twitter Space.

In particular, can it be abused 😈 or does it offer value over and above the CWA goal 😇

a) 😈 Can it be used by unscrupulous marketing agencies for harvesting real names and real date-of-births?

b) 😇 Does it offer a useful mechanism for online age-validation? I.e. The ticketer/web-site wants to perform age-verification and is not interested in vaccination status.

c) 🤔What accreditation is performed on ticketing agencies integrating this validation? Or is it freely available?

d) 😇 Does the CWA inform the user of the data being validated? E.g. If the ticketing agency requests that the date-of-birth is validated, this should be reflected in the CWA UI as is done in the Ausweis2 App. The screenshot in the blog and CWA library doesn't make this clear.

This declaration in the FAQ/Docu is important, because the specs make it clear that "that these specifications have no binding character".

alanrick commented 2 years ago

@Ein-Tim The "harvesting" link above shows the workflow. I've added it directly to this comment to save you hunting. Bullet c) was my question in Spaces a minute ago. Thank you for listening.

RealIDHarvestingWorkflow

Ein-Tim commented 2 years ago

@alanrick

Thanks for the ping! Yes, exactly, though these steps the booking service knows that your name is genuine, but, as I said, the validation service does not directly transmit name and dob to the booking system.

Hope all your questions are clarified now? I suggest you open a new issue reg. the question: "Which businesses can connect to the validation service?"

MikeMcC399 commented 2 years ago

I suggest you open a new issue reg. the question: "Which businesses can connect to the validation service?"

See also:

https://github.com/corona-warn-app/cwa-website/issues/2218

and

https://www.coronawarn.app/en/faq/#val_service

"Which customers are already using a DCC validation service?

Customers or providers will publish this information themselves, independently."

MikeMcC399 commented 2 years ago

@Ein-Tim

Although the CORONA-WARN-APP SOLUTION ARCHITECTURE document does not cover the validation service, which is what you requested in this issue, there is some information elsewhere.

DSFA for CWA

"Bericht zur Datenschutz-Folgenabschätzung für die Corona-Warn-App der Bundesrepublik Deutschland Öffentliche Version Version 1.20, 09.12.2021"

Section 5.5 Systemarchitecture, 5.5.12 Validierungsdienste on Seite 71 ff and 5.7.26 Online-Validierungsdaten Seite 132 may provide you with some information you are looking for.

Ein-Tim commented 2 years ago

@MikeMcC399

Thanks Mike, I'll take a look! Enjoy your weekend!

larswmh commented 2 years ago

Thanks for your report @Ein-Tim. Internal Tracking ID: EXPOSUREAPP-11229

Corona-Warn-App Open Source Team

Ein-Tim commented 2 years ago

Just for the record: The DCC ticketing feature was put on ice: https://github.com/corona-warn-app/cwa-website/issues/2218#issuecomment-1094809124

Ein-Tim commented 2 years ago

I don't expect any documentation for a feature that is not in use currently. Thus closing this issue.