search

corona-warn-app / cwa-documentation

Project overview, general documentation, and white papers. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
3.29k stars 345 forks source link

PDF Export-All Allows Country Check Circumvention #913

Closed thgoebel closed 1 year ago

thgoebel commented 1 year ago

Your Question

What is the reasoning behind not filtering foreign certificates in the "export all" feature?

Right now (CWA version 2.24, 2.25), I can simply import a single foreign DCC, click export all, and I get a nice 1-page PDF of my foreign DCC with a German look around it. Why prevent this in the individual export, but not in the bulk export?

What is more: the individual export (on Android) is hidden in the certificate details, behind the overflow menu. From the certificate landing page, this requires 4 taps and 1 scroll. The export-all on the other hand is on the certificate landing page and is clearly visible through its icon. 1 tap away. Thus it is much more exposed to the user.

Why this difference? What are the two different threat models that you applied here?

Ein-Tim commented 1 year ago

See also https://github.com/corona-warn-app/cwa-website/issues/2958#issuecomment-1161932229 & following comments.

thgoebel commented 1 year ago

I'm interested because as far as I understand the original intention was to limit abuse. I.e. make it harder to disguise a foreign cert as a German cert. For example, Switzerland introduced a similar limitation to only transform Swiss-issued DCCs to "light certificates" and PDFs after media reports of mal-issued German certs. Hence I was surprised to see that this is by-design according to the FAQ.

After all, DCCs are an official document. As a comparison: you don't want to make it trivial to create a German-signed Personalausweis with the 🇨🇭 on it, nor a Swiss-signed Personalausweis with the Bundesadler.

So did the German threat model change? Is abuse only an issue for individual exports? Or is abuse not an issue at all anymore (and the individual export is just lagging behind and will be allowed for certs of all nations in a future version)?

mlenkeit commented 1 year ago

@thgoebel the main reason for restricting the original export to DCCs issued by Germany was simply that there were legal concerns as to what template to use for DCCs issued by other countries, as there is no standardized template across countries.

In the meantime, these concerns have been dismissed. The batch export uses the DE template for DCCs issued by Germany and a similar generic template for DCCs issued by other countries.

There are ongoing discussions whether to enable the single export also for non-DE DCCs (see https://github.com/corona-warn-app/cwa-wishlist/issues/836).