dirkx
commented
2 years ago While this is technically a sound approach - it would allow for the observation of citizens moving around; as the lookups would be online. It was essentially a requirement that citizens and scanners were to be fully offline. And that even the issuing entity would not be privy to the whereabouts of their citizens.
Secondly - as with the TEKs and RPIs in the CoronaTracker - the European Privacy Board is very clear that the type of Qr that you describe (that uniquely identifies a record) is itself a piece of PII. So this type of use in itself rans foul of that GDPR interpretation.
Thirdly - as the traveler is required to have a passport or similar when crossing the border - there is no need for anything more than just the name and DoB; adding more information (like a photo, driving license o passport number) is neither needed nor proportional. And therefore prohibited.
Lastly - for domestic use - an even more limited approach can be taken - e.g. The Netherlands uses an Idemix & selective disclosure to ensure that even between scans there is nothing that uniquely can track the user.
0ki
A large amount of the mechanism proposed appears to be motivated by the desire to compress the certificate itself to fit in a QR code.
While this allows for offline verification of the certificate, this constraint introduces a substantial restriction on the data presented. It is not possible to incorporate a picture of the subject, etc. etc.
An alternative approach is to use a QR code to link to data on a remote site. While such an approach would have been wildly impractical in 2000, network provision is now sufficiently ubiquitous to make it practical. If the Internet is down, most airports will be down and down hard in any case.
The other objection to this approach is that Web servers containing health credential data in plaintext would be a major privacy concern violating HIPPA, GDPR, etc. etc. Fortunately, a QR code can be used to express both a locator and a decryption key as described in the Mesh UDF-EARL approach:
https://www.ietf.org/archive/id/draft-hallambaker-mesh-udf-12.html
In this scheme, the QR code still serves as a bearer token permitting access to the data but the data itself is no longer constrained in size. This provides for a much wider ranger of authentication approaches with different privacy properties.
For example, Alice gets her COVID shot and CDC certificate with her name and dates of vaccinations, her passport and driving license. She visits a credential issuance authority which provides her with multiple accreditations for use in different circumstances:
1) Vaccination information + Photograph of Alice 2) Vaccination information + Driving license number 3) Vaccination information + Passport number + country of issue
Alice can use the first credential to gain access to a store or other public space without disclosing her name, date of birth or other information. She can use the second for circumstances such as access to a place of employment where a stronger identity assertion is required. She can use the third for international travel.
Having relaxed the size constraint, it would be rather more appropriate to build on top of SAML which was originally based on TAXI which was designed for this exact purpose.