UCSD iss: does not correspond to actual iss found in live QR

[jtara]

I find that the iss listed for UCSD:

https://epicproxy.et0502.epichosted.com/EPPARRPRD/api/epic/2021/Security/Open/EcKeys/32001/SHC

does not correspond to the iss found in my own personal vaccine record:

https://epicproxy-pub.et0502.epichosted.com/EPPARRPRD/api/epic/2021/Security/Open/EcKeys/32001/SHC

Note the presence of -pub in the live example.

Both return identical keys.

This begs the question of Smart Health Card Verifier is able to match the UCSD issuer and display the name, since the iss value in the downloaded QR will not match.

(I would look myself, but I believe Verifier is not open source?)

As well, I question how Verifier is able to verify the signature. It seems to me that an exhaustive search for kid across all known issuers would not be proper - it should be constrained to the claimed iss.

Assuming the data here is out of sync with data in the Verifier.

(I have built my own decoder/verifier, which is how I saw the iss value).

[isaacvetter]

@jtara,

Wow, excellent catch! Thank you! We're working out the kinks in our process.

Resolved by #11.

Isaac

[jdkizer9]

@jtara Thanks again for bringing this to our attention. Regarding the SHC verifier app, it's backed by a different issuers list, but should include the issuers in the VCI directory. The -pub iss value had been previously been loaded into the SHC verifier list, which is how you were able to verify it.