Revoking Leaked Certificates

eu-digital-green-certificates / dgca-validation-service

Validation service can validate eu digital covid certificates for travel and booking services using business rules from dgca-businessrule-service and certificates from dgca-verifier-service.

Apache License 2.0

13 stars 10 forks source link

Revoking Leaked Certificates #76

Open m33x opened 2 years ago

m33x commented 2 years ago

Revoking Leaked Certificates

I know that this is very likely the wrong place to ask, but my government is not responding to my question.

I have collected a list of 20-30ish valid certificates, simply by using the Google image search. Is there any way to report them so that they can be invalidated? I have not found any information online.

Thanks for a quick reply, and sorry for the SPAM!

Best, Maximilian

daniel-eder commented 2 years ago

@mkubicek-dtc can you help forward this information?

gstsec commented 2 years ago

The original poster refers to completely legit and valid DCCs which have been published online by their owners. This is not a security issue of the EU DGCG nor the national verifyer apps nor of the verification system as a whole. The verification process of a DCC must always include the validation of the subject's identity through e.g. national ID documents. This is an integral part of the verification process. Publishing a DCC does reveal PII of the person it was issues for; however it does not constitute a security issue. We are not aware of any national administrations having legit DCCs revoked solely for the fact that their owners publshed them online.