QR code of the first and second dose

[marcoscale98]

Describe the bug

I have the certificate for both the first and second vaccinations. They are 2 different QR codes. Both are positively recognized by the app. But once you get the one for the second dose, shouldn't the first dose certificate expire?

Expected behaviour

The certificate of the first dose should expire when that of the second vaccination is achieved

Steps to reproduce the issue

Scan the QR code of the first dose. Then scan the second dose certificate

[enricomiletto]

This is an intresting one @marcoscale98 Honestly, I think whoever wrote this law may have not really thought about how it would be implemented in practice.

The issue here is that the Covid Certificates for vaccination don't contain a field that specifies the end of validity of that certificate, but the law says that the certificate for the first dosis has a validity that is specific for each person (the distance between the appointment for the first dosis and the second one varies from person to person).

So, since the app cannot know when the " data prevista per la somministrazione della seconda dose" is it can't decide if the certificate should still be valid or not.

There would be the option of "remotely" revoking all certficates of the first dosis as soon as the day of the appointment for the second dosis comes, but the issue here it that if the Ministero della Salute revokes something like 40 milion certificates, the list of revoked certificates that will have to be synced on every verification app in Europe would weight around 1 GB, which is not feasable.

So, I envision two possible solutions to the problem:

• The current law gets modified by giving a fixed duration of validity to all first dose certificates (what would make the most sense imo would be the maximal expected interval between the 2 dosis, 42 days for Pfizer and Moderna, 84 for AstraZeneca), so the app could simply compute "date of issuance" + "fixed duration of first dosis certificates (42/84 days)" and see if that date has already passed or not.
• The other option (which wouldn't work for certificates already issued, though) is to set the date of the second dose appointment as the Expiration Time of the CBOR Web Token (CWT) itself. This expiration date technically is something separate from the validity of the covid certificate itself, but it should still do the trick as the app should anyways check that this Expiration date is not surpassed. This would also require the national DGC platform to know the planned date for the second dose at the time the certificate of the first dose is issued, which idk if it is the case ATM.

In both cases though it's not up to the developers of VerificaC19 to make decisions in this regard.

If I have written something that's not correct, please leave a comment

PS: I'm not part of the dev team of this app, just a private citizen

[enricomiletto]

Apparently, some countries (like Austria) allow people to enter the country with a Covid Certificate of the first dose up to 90 days after the first vaccination (even without having done the second dose). IT EN

This means my "second solution" cannot be done because ending the certificate's validity as soon as the date of their scheduled second dosis would unjustly keep people from entering Austria (for example) if they decicded not to take the second dosis on the scheduled date.

If my reasoning is correct this leaves the only option to update the Italian Law that establishes the rules of when a certificate is considered valid.

[enricomiletto]

Actually, thinking about this a little more, another reason that revoking the certificates or making the CWT expire when the data prevista per la somministrazione della seconda dose comes doesn't work is that it would only work for Covid Certificates emitted by Italy.

The Digital Covid Certificate is a EU-wide effort, meaning every member state recognizes the certificates emitted by all other memer states. Still, every country can choose its specific requirements/restrictions (like the duration of the validity of the first dosis, or if you consider first dosis valid at all, which specific vaccines to accept...) for when a Covid Certificate is considered valid inside its territory; these rules obviously have to be equal for all Covid Certificate holders that are inside of the country's territory independently from which EU country has emitted the certificate.

So, aside from the techical problems of implementing what the "DECRETO-LEGGE 22 aprile 2021 , n. 52" asks, it would anyways only work under the assumption that every country of the EU has a scheduled appointment date for the second dose at the time the certificate for the first dose is issued, which probably is not the case

[marcoscale98]

Now I also doubt that even the green pass obtained with a negative covid test does not have an expiration date that can be verified with VerificaC19. Has anyone already tried it?

[enricomiletto]

@marcoscale98 No, it doesn't (that of course doesn't mean they dont expire). Here you can see what information is stored on the QR codes. (for covid tests pages 9 to 11) https://ec.europa.eu/health/sites/default/files/ehealth/docs/covid-certificate_json_specification_en.pdf

And also, why would they need an expiration date? Every country can decide by itself how long after the time of the collection of the sample the certificate is considered valid. Italy, for example considers a certificate of a test (PCR or antigen) valid in the 48 hours after the test is executed (art. 9 comma 5 of DL 22 aprile). The app can compute "time of execution of the test" + 48h and see if that time has passed. No need for an expiration date.

Switzerland (not EU, but still participates in the Digital Covid Certificate system) for example has decided that PCR tests are considered valid 72h after the time of the execution of the test. Now if there was a field with an expiration date for the test on the DCC and every country would issue certificates with expiration dates coherent with their own definition of validity, a person that was tested with a PCR test in Switzerland could come to Italy and enter a restaurant up to 72h after the execution of the test (not in line w/ italian regulation) because the app would check the expiration date end see it hasn't passed

Conversely, an Italian who has done a PCR test in Italy couldn't enter Switzerland by flight between 48 and 72 hours of the execution of his test in Italy even though the Swiss definition of validity would allow it

[astagi]

@marcoscale98 @enricomiletto thank you for reporting this issue and for the interesting discussion, I'll close this thread cause it's not strictly related to the app.