Dr. Greg Bernstein
April 20th, 2021
Coming Soon: The ‘Vaccine Passport’, By Tariro Mzezewa, Published Feb. 4, 2021Updated April 20, 2021.
For Vaccine Passports, Less Tech Is Best, By Shira Ovide April 20, 2021.
The COVID-19 Credentials Initiative (CCI) is an open global community looking to deploy and/or help deploy privacy-preserving verifiable credential projects in order to mitigate the spread of COVID-19 and strengthen our societies and economies.
The community builds on Verifiable Credentials (VCs), an open standard and emerging technology, which could provide a close experience to paper/physical credentials while offering additional benefits, the most important being privacy-preserving and temper-evident.
We joined Linux Foundation Public Health (LFPH) in Dec 2020 to work together on advancing the use of VCs, and data and technical interoperability of VCs in the public health realm, starting with vaccine records for COVID-19.
A Path Towards Interoperability: CCI Released a Paper on Different Flavors of Verifiable Credentials 02/11/2021.
Verifiable Credentials Flavors Explained Good medium depth technical Reference, February 2021.
The Vaccination Credential Initiative is a voluntary coalition of public and private organizations committed to empowering individuals with access to a trustworthy and verifiable copy of their vaccination records in digital or paper form using open, interoperable standards.
The scope of the Vaccine Credential Initiative (VCI™) is to harmonize the standards and produce the implementation guides needed to support the issuance of verifiable health credentials - signed clinical data bound to an individual identity. The VCI does this by leading the development and implementation of the open-source SMART Health Card Framework and specifications.
The Vaccination Credential Initiative is a voluntary coalition of public and private organizations committed to empowering individuals with access to a trustworthy and verifiable copy of their vaccination records in digital or paper form using open, interoperable standards.
The scope of the Vaccination Credential Initiative (VCI™) is to harmonize the standards and support development of implementation guides needed to issue, share, and validate vaccination records bound to an individual identity.
Smart Health Cards: GitHub Gold!!! Technical documentation with details on security, privacy, and crypto protocols.
See large list of “member” organizations at VCI members
Technologies: W3C Verifiable Credentials, JSON Object Signing and Encryption (JOSE), Public-Key Cryptography, Secure Hashes, QR-Codes
Paper-first Vaccination Solutions
An equitable, efficient, open source and privacy preserving protocol by MIT.
From Paper-first Verifiable Credentials URI Specification
The PathCheck Verifiable QR Specification is an extension of the W3C Verifiable Credentials Data Model expressed as a URI for the purposes of providing a standardized format of describing Verifiable Credentials within the constraints of the QR specification. This document describes the protocol to create Verifiable Credentials directly as URIs for space-limited alphanumeric-required applications, such as QR Codes, NFC tags and SMS Messages.
Initiative | Data Model | Container | Crypto |
---|---|---|---|
VCI | W3C VCs | JWT | PKI |
CCI | W3C VCs | ? | PKI |
PathCheck | W3C VCs | Custom/URI | PKI |
An Introduction to emerging approaches to secure vaccine passports.
Abstract In this report we present a tutorial on secure privacy enhancing vaccine passports. Three emerging open efforts were reviewed and all were based on W3C’s verifiable credentials data model. We explain the data model from a security, privacy, and technology standpoint, illustrate its implementation by one initiative via JSON Web Tokens (JWTs) and public-key cryptography. In addition we review the technology behind JWTs and provide a high level review of QR codes that can be used in paper based scannable vaccine passports.
Students will be able to understand base64 encoding
Students will understand the role of JSON on the web and in conveying secured information
Students will gain a high level knowledge of JWS, JWE, JWT, and verifiable credentials
From Verifiable Credentials Data Model 1.0 W3C
Credentials are a part of our daily lives; driver’s licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. These credentials provide benefits to us when used in the physical world, but their use on the Web continues to be elusive.
From Verifiable Credentials Data Model 1.0 W3C
Currently it is difficult to express education qualifications, healthcare data, financial account details, and other sorts of third-party verified machine-readable personal information on the Web. The difficulty of expressing digital credentials on the Web makes it challenging to receive the same benefits through the Web that physical credentials provide us in the physical world.
This specification provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.
From Verifiable Credentials Data Model 1.0 W3Cs
In the physical world, a credential might consist of:
Information related to identifying the subject of the credential (for example, a photo, name, or identification number)
Information related to the issuing authority (for example, a city government, national agency, or certification body)
Information related to the type of credential this is (for example, a Dutch passport, an American driving license, or a health insurance card)
From Verifiable Credentials Data Model 1.0 W3C
Information related to specific attributes or properties being asserted by the issuing authority about the subject (for example, nationality, the classes of vehicle entitled to drive, or date of birth)
Evidence related to how the credential was derived
Information related to constraints on the credential (for example, expiration date, or terms of use).
From Verifiable Credentials Data Model 1.0 W3C
A verifiable credential can represent all of the same information that a physical credential represents. The addition of technologies, such as digital signatures, makes verifiable credentials more tamper-evident and more trustworthy than their physical counterparts.
Holders of verifiable credentials can generate verifiable presentations and then share these verifiable presentations with verifiers to prove they possess verifiable credentials with certain characteristics.
From Verifiable Credentials Data Model 1.0 W3C
A set of one or more claims made by an issuer. A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. Verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verified. The claims in a credential can be about different subjects.
From Verifiable Credentials Data Model 1.0 W3C
A presentation is: Data derived from one or more verifiable credentials, issued by one or more issuers, that is shared with a specific verifier. A verifiable presentation is a tamper-evident presentation encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification.
JSON Web Token is an Internet proposed standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.
https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkRyLiBCIiwiaWF0IjoxNTE2MjM5MDIyLCJjb3Vyc2UiOiJDUzY3MSJ9.kk-U5yCdIO3uuklXvn2Wo6jvyeyBe72YcpDw3DUNewo
From QR Code: Wikipedia
A QR code (abbreviated from Quick Response code) is a type of matrix barcode invented in 1994 by the Japanese automotive company Denso Wave. A barcode is a machine-readable optical label that contains information about the item to which it is attached. In practice, QR codes often contain data for a locator, identifier, or tracker that points to a website or application.
QR code generated with NPM: qrcode