Closed jkrwdf closed 2 years ago
heinezen
commented
3 years ago Hello everyone,
This feature was declined for the following reason: This would make the family certificates scans no longer usable. People should be able to share already scanned certificates with their family members.
Corona-Warn-App Open Source Team
jucktnich
commented
3 years ago @heinezen for this you could use the export certificate feature
chstdu
commented
3 years ago A compromise or first step would be to NOT totally block the certificate import of an already imported/ certificate but to show a huge warning (maybe with a short waiting time) that you are about to import a certificate which is already stored / in use by someone else. Maybe mention legal consequences of misuse or other forms of nudging in this warning to prevent the use of the CWA as check app.
jkrwdf
commented
3 years ago For convenience, I call the proposed bit in the unprotected area of the COSE structure "Do Not Import" (DNI).
The described family business is of course still possible by scanning the original PDF from the vaccination location or pharmacy.
Also the QR codes created by CWA or CovPass in the detail area of a certificate shall not contain DNI.
Only the QR in the initial certificate section, intended for presentation to checkers, shall have DNI.
I am aware that this proposal is a huge thing. Introducing DNI in the EU DCC needs to be aligned with all member states, because even if the proposal is technically feasible, implementors may have chosen to interpret "unprotected section" differently and may produce check errors. There are some reasons why it could be declined. The presented one however is IMHO not one of them.
Ein-Tim
commented
2 years ago FYI: There is a related discussion in https://github.com/ehn-dcc-development/hcert-spec/issues/107 now.
Ein-Tim
commented
2 years ago @mlenkeit Should this issue be re-evaluated it would make sense to reopen it (-:
Thanks for your work & clear communication with the community!
mlenkeit
commented
2 years ago @Ein-Tim I agree, we should re-evaluate this.
@ all: please note that just because this issue is re-opened is not any kind of commitment or promise that the proposed functionality will be implemented 😉
Ein-Tim
commented
2 years ago I guess the easiest way to stop users from using CWA as a check app is to implement a pop up which asks for the date of birth from the user before importing the certificate, with a text like:
"Dieses Zertifikat wird zu Ihrer App hinzugefügt. Bitte geben Sie das Geburtsdatum der Person, der das Zertifikat gehört, ein. Das Zertifikat wird in der Corona-Warn-App nicht auf seine Gültigkeit geprüft.
jkrwdf
commented
2 years ago Hi @Ein-Tim
my goal of this issue was to avoid accidental use (simply by not knowing that there is something like CovPassCheck). This goal can be achieved without the additional need to let the user enter some data from the DCC.
A dialogue like the one I proposed based on the idea of @chstdu for CovPass (as the current issue for CWA was closed/declined, I tried again for my second dearest wallet app) in https://github.com/Digitaler-Impfnachweis/covpass-android/issues/103#issuecomment-968066084 would do this task.
I fear that a query approach with data input causes too much friction for some classes of users, while on the other hand it does not increase the level of security against fraudulent people.
They can use CovPassCheck to get the birth date of the person standing before them in the queue at the cinema, and even if the suggestion is then updated to let the user enter some even more hidden data like parts of the certificate UUID, the scammer then also updates to a generic DCC reader to extract whatever we ask from the JSON.
Best, J
PS: Thanks for making me aware of https://github.com/ehn-dcc-development/hcert-spec/issues/107
jkrwdf
commented
2 years ago Just found in https://github.com/ehn-dcc-development/hcert-spec/issues/107#issuecomment-988913065:
Money quote:
Er habe von Sicherheitsleuten schon oft gehört: „Das ist total lästig – ich muss ständig diese ganzen QR-Codes von den Gästen von meinem Smartphone löschen!“
chstdu
commented
2 years ago More and more newspapers are reporting on this case:
Telekom says it is not their fault although this issue #601 proposing the "Do not Import" bit exists since months! We should write letters to the editor!
chstdu
commented
2 years ago Now even heise.de is reporting about the WDR article: https://heise.de/-6289943
Unfortunately, this issue #601 is again not mentioned as a simple solution. However, there are already many comments in the discussion section. Someone should mention this issue there!
dsarkar
commented
2 years ago Dear Community, thanks for the discussion. We will forward this internally.
Ein-Tim
commented
2 years ago FYI: https://github.com/corona-warn-app/cwa-app-android/pull/4502#issuecomment-990303506 says:
this [= a "Do Not Import" flag in the QR code to prevent accidentally importing certificates again] is also coming soon , wait for it.
cc @jucktnich & @vaubaehn
Ein-Tim
commented
2 years ago This issue is obsolete IMO, the app now shows a warning that it can't be used to verify certificates & refers to the CovPassCheck-App.
Here is a screenshot of the warning:
Please close this issue.
jkrwdf
commented
2 years ago Goal of this issue was to put a bit into the unprotected area of the EU DCC (so it does not break the signature) and to foster a EU wide implementation of this bit in all wallet apps to achieve a holistic solution.
However, I agree that this was maybe too much wool-gathering and the popup as mitigation is good enough (which, by the way, we did not get because of a GitHub issue, but with the Cologne innkeeper using CWA to validate its guests....).
And as https://github.com/ehn-dcc-development/eu-dcc-hcert-spec/issues/107 has meanwhile also been closed, I am d'accord.
Feature description
Problem and motivation
Once a EU COVID-19 CERTIFICATE has been scanned by CWA, the TEXT content of the QR code shown by CWA for validation is an exact literal replica of TEXT content of the scanned QR code.
As such, it can be scanned not only by the intended validator apps (like CovPassCheck), but also by wallet apps like CWA (and CovPass) again, which then add it their own wallet-storage.
In my opinion, this bears the risk that people acting as validator personnel accidentally use CWA (or another wallet app) to scan presented certificates at venue entry locations and accept entry when the scan was successful.
This has two significant issues:
I suggest that CWA (and other wallet apps) shall block scanning back QR codes of certificates presented by CWA (and other wallet apps when they implement the same feature as suggested below).
This could be achieved by adding a tag to the "unprotected header" of the COSE data structure before it is rendered to the QR code on screen.
This tag can then be evaluated by CWA and other (cooperative) wallet apps like CovPass to block adding of this certificate instance to the own wallet (and display a message pointing to the correct app; CWA would point to CovPassCheck).
As the unprotected header section is not part of the digital signature, this operation does not require re-signing, the digital signature is not tainted, and wallet apps or validation apps not prepared for the new feature should continue to work without code change.
Internal Tracking-ID: EXPOSUREAPP-8997