Computing > Security

Stupid questions about Public-key cryptography and QR Code Vaccine Passports

<< < (2/2)

ve7xen:
The Federal government mandated that all provinces follow the SMART Health Card standard. The spec is here: https://spec.smarthealth.cards/ . It should answer all your questions.

Infraviolet:
Nothing can ever really be made secure, from the citizen's perspective, about making people present a digital domestic ID card to go about daily life. All round a very bad idea, does nothing but make people less trusting, more antagonistic, and makes those who are hesitant to get vaccinated all the more unwilling. The way out of this mess has to be trusting people to do the right thing and be hygienic, not tracking their every movement.

thm_w:

--- Quote from: Infraviolet on September 27, 2021, 11:20:18 pm ---Nothing can ever really be made secure, from the citizen's perspective, about making people present a digital domestic ID card to go about daily life. All round a very bad idea, does nothing but make people less trusting, more antagonistic, and makes those who are hesitant to get vaccinated all the more unwilling. The way out of this mess has to be trusting people to do the right thing and be hygienic, not tracking their every movement.

--- End quote ---

Whine somewhere else.

edy:
From now until Oct 22 when the Health Ministry comes out with a signed vaccine QR code, people can present easily-forgeable "vaccination receipts" since there is no way to authenticate whether it is real or somebody copied another receipt and changed info. Not only that, but most are just printed paper or PDF or scanned images on phones that have a name that a business is supposed to match to whatever ID the person presents (to show the receipt belongs to them).

Funny thing is, even after Oct 22 it seems the government will still allow this form of proof. Too many old people either without phones or the know-how to get QR codes will be allowed to use this, so it seems.

There is currently an independent coding group of volunteers working to bridge the gap by making validation QR codes available for easy storage (Apple wallet) and presentation with a verification app. They published their entire open source on Github. They are found here: https://grassroots.vaccine-ontario.ca/

I spoke to one of the developers and even with this system it can be easily forged because they purposefully DO NOT collect or store any identfiable information for privacy reasons. Therefore a QR code generated by this system could be copied to other users as the verification app a business uses to screen people doesn't display the name of the person for whom the QR code has been created! The QR code only contains vaccination details but no personally identifiable information. They did this because as a volunteer coding group they didn't want to get into a legal privacy debacle like happened with some other government roll-outs of half-baked apps that leaked user info. What the heck is the point of a receipt if you can't verify it belongs to the person it is supposed to be for?

So basically right now it is a mess until the government forces everyone to download and use a digitally signed receipt that makes the name and date of birth available to whoever scans it, makes businesses validate it using a well-known easily verifiable public key, and introduce a system to continuously issue updated signed receipts and public keys for verification purposes as private keys either expire or get compromised. And enforcement is another issue as there are a growing number of businesses who are just refusing to even check people.

ve7xen:

--- Quote from: edy on October 01, 2021, 05:50:30 am ---So basically right now it is a mess until the government forces everyone to download and use a digitally signed receipt that makes the name and date of birth available to whoever scans it, makes businesses validate it using a well-known easily verifiable public key, and introduce a system to continuously issue updated signed receipts and public keys for verification purposes as private keys either expire or get compromised. And enforcement is another issue as there are a growing number of businesses who are just refusing to even check people.

--- End quote ---

Interesting to see how different provinces are failing at this differently.

Here in BC as of Sept 26, the signed QR code is the only acceptable proof of vaccination (there are some exceptions for Canadian Forces, international visitors and such). They didn't roll out vaccination requirements at all until the SHC was available, but gave a few weeks where the handwritten records were acceptable. The first few days of availability the system was overloaded, but it's been working well now. Their verification app works well, shows the person's name (but not DoB for some reason, though it is in the QR code) for verification against their ID, doesn't require Internet and seems pretty fast. I've been to a few places that aren't using the proper scanning app to verify, which is allowed, so people could use forged ones at those places, but overall compliance seems to be pretty good here in Vancouver. Who knows about parts further out, but technically they should be requiring it and checking ID and the fine is pretty stiff ($2300).

Where they have failed IMO is that there is no app for citizens to access their QR code in an easy manner. Instead they link you to a PNG (originally they had a PDF option, but this seemed to overload the system so they quickly took it down) and then tell you to screenshot or save it to your phone, and then leave it up to you to figure out how to access it quickly, which isn't all that straightforward on phones these days. They also aren't surfacing the .smart-health-card file in their UI (or presumably at all) as the SHC spec 'requires', which would make it easier for potential third-party apps to pick it up automatically as a MIME handler rather than some convoluted QR scanning or something. A simple app would help usbility a lot, especially for the less tech savvy, and really all it needs to do is ingest the .smart-health-card file and produce a QR code when opened.

So meh, I'm alright with the implementation here.

Navigation

[0] Message Index

[*] Previous page

There was an error while thanking
Thanking...
Go to full version