Revocation of a green pass

[FedericoCozzi]

According to newspapers, if a person who was vaccinated gets infected, his green pass is revoked. Can verificac19 check a list of revoked green passes? How is this implemented with offline verification?

[oliversaggau]

I agree with keeping the "idiological" discussion out of here. You're right that this is something the ministry of health needs to figure out and supply this "database" (how ever this might look). But then again, this literally is the Github page of the ministry of health, so I can't think of a better place for this issue, so I disagree on the "WONTFIX" as long as this law is in place/until this section gets removed by the italian government.

[djechelon]

Or until the government waives the DGC/green pass rule, which should happen by Dec 31st 2021

Or could be renewed till..............................................................

[thatdc]

This issue didn't age very well, did it? Two private keys have been leaked, how will you handle this issue without a CRL?

[djechelon]

Keys have been already revoked. Today the alleged Mr. Hitler certificate is invalid.

This issue discusses revoking individual digital green passes, not the key used to issue them

[jumpjack]

Mickey Mouse and Hitler greenpass CANNOT be revoked, because the key used to sign them has been used for other millions of greenpass. This is what is being discussed in this thread since august.

[djechelon]

I was reading https://attivissimo.blogspot.com/

Yesterday, Hitler certificates were not recognized by my VerificaC19 (in the blog, you can see screenshot of failed check). Today, the post got an update. I can confirm all certificate listed in the blog work to me after VerificaC19 downloaded latest rules.

I'd also add that Rokotepassieu Ota Yhteyttä Wickr is recognized by my VerificaC19 instance, but Attivissimo claims that his own instance of VerificaC19 fails the check.

The situation is worse than expected.

[marcomarsala]

They could revoke individual certificates adding a rule in the app that denies these certificate unique IDs, or a general rule to refuse certificates with date of birth too past (so it’s sure that belongs to a dead person)

[resoli]

It seems that v1.1.6 implemented a blacklist mechanism or so. None of QR in https://github.com/denysvitali/covid-cert-analysis/blob/master/RESULTS.md is verified anymore.

[cifred98]

It seems that v1.1.6 implemented a blacklist mechanism or so. None of QR in https://github.com/denysvitali/covid-cert-analysis/blob/master/RESULTS.md is verified anymore.

It's a quick "dirty" fix using the certificate validation rules (https://get.dgc.gov.it/v1/dgc/settings). Only these 4 certificates have been blacklisted:

{
   "name":"black_list_uvci",
   "type":"black_list_uvci",
   "value":"URN:UVCI:01:FR:W7V2BE46QSBJ#L;URN:UVCI:01:FR:T5DWTJYS4ZR8#4;URN:UVCI:01DE/A80013335/TCXSI5Q08B0DIJGMIZJDF#T;URN:UVCI:01:PL:1/AF2AA5873FAF45DFA826B8A01237BDC4;"
}

[jumpjack]

It seems that v1.1.6 implemented a blacklist mechanism or so. None of QR in https://github.com/denysvitali/covid-cert-analysis/blob/master/RESULTS.md is verified anymore.

It's a quick "dirty" fix using the certificate validation rules (https://get.dgc.gov.it/v1/dgc/settings). Only these 4 certificates have been blacklisted:

{
   "name":"black_list_uvci",
   "type":"black_list_uvci",
   "value":"URN:UVCI:01:FR:W7V2BE46QSBJ#L;URN:UVCI:01:FR:T5DWTJYS4ZR8#4;URN:UVCI:01DE/A80013335/TCXSI5Q08B0DIJGMIZJDF#T;URN:UVCI:01:PL:1/AF2AA5873FAF45DFA826B8A01237BDC4;"
}

How can they just disable some certificates? This would invalidate some millions of valid DGCs!!

[resoli]

Thanks @cifred98

How can they just disable some certificates? This would invalidate some millions of valid DGCs!!

They are not not revoking the single x509 italian signing cert (DSC), only blacklisting the obviously fake DGC not emitted by MK. MK DSC was already removed in past days.

[TheNewHEROBRINEX]

Has the corresponding code already been published to GitHub? I can't find it

[resoli]

Has the corresponding code already been published to GitHub? I can't find it

Still not published I guess.

[jumpjack]

Thanks @cifred98

How can they just disable some certificates? This would invalidate some millions of valid DGCs!!

They are not not revoking the single x509 italian signing cert (DSC), only blacklisting the obviously fake DGC not emitted by MK. MK DSC was already removed in past days.

Ah ok, I thought they blacklisted KIDs coded in some weird fashion.... Instead now I see they are blackilisting by UVCI. But there are only 4 items in blacklist, while (at least) 9 fake DGCs: https://github.com/denysvitali/covid-cert-analysis/blob/master/RESULTS.md

UVCI specifications:

 "certificate_id": {
 "description": "Certificate Identifier, UVCI",
 "type": "string",
 "maxLength": 50,
 "unique": true
 }

Field name: "ci"

 "ci": {
 "description": "Unique Certificate Identifier: UVCI",
 "$ref": "https://ec.europa.eu/dgc/DGC.Core.Types.schema.json#/certificate_id"   // Link is dead, but schema is [here](https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_dt-specifications_en.pdf)
 }

v/ci Unique certificate identifier Unique certificate identifier (UVCI) as specified in the vaccinationproof_interoperability-guidelines_en.pdf (europa.eu) The inclusion of the checksum is optional. The prefix "URN:UVCI:" may be added. Exactly 1 (one) non-empty field MUST be provided.

Examples: "ci": "URN:UVCI:01:NL:187/37512422923" "ci": " URN:UVCI:01:AT:10807843F94AEE0EE5093FBC254BD813#B" Source: https://ec.europa.eu/health/sites/default/files/ehealth/docs/covid-certificate_json_specification_en.pdf

[FedericoCozzi]

It looks like a revocation mechanism is now in place, as explained above. Several Italian green passes have been revoked (blacklisted / blocked) I think this issue can now be closed?

[djechelon]

I think we are talking about a couple different things. One is revoking the pass of a single infected patient, one is revoking all fake passes generated from the same key

See also: https://www.mediasetplay.mediaset.it/video/leiene/martinelli-si-possono-avere-covid-e-green-pass-ancora-valido-nello-stesso-momento_F311370301006C02

[FedericoCozzi]

If you go to https://get.dgc.gov.it/v1/dgc/settings you’ll see a list of revoked (blacklisted) green passes. Several of them are Italian

[oliversaggau]

Would be nice to have an "official" statement of the ministry of health what that list under https://get.dgc.gov.it/v1/dgc/settings really contains. Just like @djechelon I too think, we're talking about two different things here. As far as I understood the lawyer, the law say that if a vaccinated person was to be tested positively, the green pass shall be revoked (postponed) until that person was to be tested negatively again. Of course that can/maybe has been/will be implemented in the same blacklist under https://get.dgc.gov.it/v1/dgc/settings but currently it is unclear to me whether these are only some blacklisted (fake) certificates or whether that blacklist is the actual "database" for "postponing" green passes mentioned in the law.

[jumpjack]

Yes, we have 2 topics:

• permanently disable fake DGCs
• temporarily suspend valid DGCs of infected people

[jumpjack]

The blacklist looks "a little" short: currently there are 85287 illegal but valid DGCs only in Italy (7th column, "totale positivi").

[marcomarsala]

They won’t revoke DGCs of who get tested positive because unique IDs of these certs are PII (Personal Identifiable Information. They revoke only DGCs emitted to to not existent people (so not PII) and to stop media resonance too

[falemagn]

@marcomarsala then is this a lie?

«I certificati sono stati disattivati presso il database del ministero della Salute.»

https://tg24.sky.it/roma/2021/11/03/green-pass-falsi-pippo-franco

[FedericoCozzi]

I don’t think the reason why a green pass is revoked (blocked, blacklisted) matters. Also, I don’t think we should know whether revoked green passes belong to real people or are fake. This is for privacy.

Annex B of Dpcm postulates a list of revoked green passes which should be checked by VerificaC19.

To me, it looks like a list is in place and the app checks it.

Now it’s just a matter of populating the list correctly, but this is not an app issue.

[marcomarsala]

I don’t think the reason why a green pass is revoked (blocked, blacklisted) matters.

There is only one cause of revocation, that is testing positive. So the presence of a cert in the revocation list tells health information about the owner.

Also, I don’t think we should know whether revoked green passes belong to real people or are fake. This is for privacy.

Privacy applies only to real and alive, people.

[marcomarsala]

@marcomarsala then is this a lie?

«I certificati sono stati disattivati presso il database del ministero della Salute.»

https://tg24.sky.it/roma/2021/11/03/green-pass-falsi-pippo-franco

If the only revocation list is https://get.dgc.gov.it/v1/dgc/settings it contains 11 Italian DGC unique IDs and we don’t know who these certs belongs to. If they are certs of people mentioned in the article you cited, I think they had revoked these certs without privacy issues because the event was always of public domain, as newspapers wrote about that. It isn’t the same as revoking certs of who tested positive

[FedericoCozzi]

Does 01IT3DA01DD1A0AA4E4E92A10C11B04D39DB#8 belong to a real person or a fake? How do you know? (This is a real Zero Knowledge list! Even after looking at it, you don’t know what it contains…)

Does it matter if 01IT3DA01DD1A0AA4E4E92A10C11B04D39DB#8 was revoked due to infection? Should VerificaC19 work differently?

[marcomarsala]

I know if I already meet that cert.

For example, if I scan certs of my customers with a modified version of the app, that keeps a copy of all cert data, I can know if any of my customers will test positive in the future, just looking if his/her cert id appears in revocation list.

[FedericoCozzi]

Using a modified version of the app which keeps the data is a privacy violation. Garante della Privacy was clear about this.

[marcomarsala]

Yes. But I think the issue in publishing PII in revocation list came from GDPR, art. 9 n. 2 letters i) and h). These data are processed by anyone and this is forbidden by art. 9 n. 3 (and too art. 6 n. 3 par. 2)

[jaromil]

The CRL implementation adopted makes use of idemix, originally adopted by the Dutch app. This is a "first generation" ZK scheme that produces non-aggregable unique identifiers (UID) of the data whose only privacy feature is being "keyed" with a nonce or context-uid. According to the law (IANAL) any unique identifier of private data is considered private: in this ZK case the knowledge of the UID and nonce is pretty much the same as a new hash of the data. Therefore this CRL implementation still leaks private data. A privacy preserving implementation should use aggregate lists of CRL and therefore a ZK implementation producing aggregable UIDs, i.e. as described by the hyperledger revocation list implementation I linked in a previous comment.

[jumpjack]

If they did want to protect personal information in the certificate, they should have encrypted it rather than just signing. The QRcode is instead just the "computer readable version" of the printed version of DGC in A4 format, which contains all the same data of QR.

[jumpjack]

Does 01IT3DA01DD1A0AA4E4E92A10C11B04D39DB#8 belong to a real person or a fake? How do you know?

By sure it's not Spongebob's or Mickey Mouse's DGC: https://github.com/denysvitali/covid-cert-analysis/blob/master/RESULTS.md

[FedericoCozzi]

There are now 128 Italian green passes revoked / blocked / blacklisted.

I don’t know who those green passes belong to and why they were revoked. Anyway I think it doesn’t matter.

A revocation list is in place, it’s updated and VerificaC19 checks it. I think this closes this issue (which was “does VerificaC19 handle green pass revocation?”)

If someone thinks that a green pass blacklist violates privacy, this is an issue against DPCM (and not against VerificaC19, which is now compliant with DPCM) and should raise the issue with Garante della Privacy.

[oliversaggau]

As you are the author of the issue you can do whatever you want with your issue. If you are fine with the revocation list as it is, you're free to close your ticket. But I for myself don't have the answers (an official statement) I was looking for and if this issue here gets closed I would create a new one on my own. Because I still don't know if that very revocation list you mentioned complies with this specific law (which was also discussed above) an italian lawyer sent us (I believe it was article 8 of the DPCM)

Gli effetti della validità di ogni certificazione cessano decorso il periodo di validità della stessa, definito dall’allegato B (ovvero, dopo 6 mesi dall’avvenuta guarigione dal Covid-19, dopo 9 mesi dalla seconda dose del vaccino, dopo 48 ore dal tampone negativo, ndr). Nell’eventualità in cui una struttura sanitaria afferente ai servizi sanitari regionali, un medico di medicina generale, un pediatra di libera scelta o un medico USFAM o SASN comunichi alla piattaforma nazionale la positività del Sars-Cov-2 di una persona vaccinata o guarita, la piattaforma nazionale genera una revoca delle certificazioni verdi Covid-19, eventualmente già rilasciata alla persona e ancora in corso di validità, inserendo gli identificativi univoci di dette certificazioni revocate e comunicandoli al Gateway europeo. Della revoca, la piattaforma invia notifica all’interessato

And by the pure number of only 128 revoked green passes I somehow doubt it.

[giox069]

FYI: There are now more than 700 GreenPass(es) stolen and shared on eMule. I tested some samples, and verificaC19 accepted all of them. Is the blacklist updated and really working? see: https://www.youtube.com/watch?v=12Yemlt2pkI

[marcomarsala]

I think that blacklist it is used only for green certificates revoked to comply to court orders, because other cases are already covered by different legal means (ID check for name, quarantine for suspect cases and isolation for positivity, consequencies for offenders). Such certificates was designed to be used in a context where the ID is always checked (travels). The issue is with the internal usage of such certificates in some countries (for ex. accessing some businesses), where ID couldn’t be checked for many reasons. This matter should be discussed at another level.

[FedericoCozzi]

It looks like a DRL (D stands for …?) is being developed.

Looking at committed code, its main features are:

1. Improved download to handle larger files
2. Revocation list contains hashed certificate ids

Probably the current implementation (revoked ids mixed together with business rules) was not considered scalable.

In the meantime the current revocation list is (mildly) updated. There are now 200+ Italian certificates revoked.

[jumpjack]

When the list will start containing hundreds of thousands of invalid greenpasses to be dwonloaded each day, things will become interesting.

@marcomarsala , not that "legal" does not match with "as per VerificaC19" app: it's not legal to go around for sick people, but VericaC19 considers valid their greenpasses.

[agiudiceandrea]

https://github.com/ministero-salute/it-dgc-verificaC19-android/pull/192 https://github.com/ministero-salute/it-dgc-verificaC19-android/pull/194 https://github.com/ministero-salute/it-dgc-verificaC19-android/pull/196 https://github.com/ministero-salute/it-dgc-verificaC19-android/pull/198

[jumpjack]

Since december 18th 2021 is now mandatory to disable/revoke greenpass of infected people: https://www.leggo.it/italia/cronache/green_pass_revoca_positivi_covid_gateway_europeo_cosa_succede-6392003.html

[jaromil]

Ubi maior minor cessat 🙄