Dr. Greg Bernstein

April 20th, 2021

Report Example

Open Standards Vaccine Passports

  • What are electronic “vaccine passports”?
  • What are the key standards and technologies that they might be based on?
  • How does this relate to CyberSecurity?

General References

Sites for Major Open Vaccine Passport Initiatives


The COVID-19 Credentials Initiative (CCI) is an open global community looking to deploy and/or help deploy privacy-preserving verifiable credential projects in order to mitigate the spread of COVID-19 and strengthen our societies and economies.


The community builds on Verifiable Credentials (VCs), an open standard and emerging technology, which could provide a close experience to paper/physical credentials while offering additional benefits, the most important being privacy-preserving and temper-evident.

We joined Linux Foundation Public Health (LFPH) in Dec 2020 to work together on advancing the use of VCs, and data and technical interoperability of VCs in the public health realm, starting with vaccine records for COVID-19.

CCI 3: Tech work


The Vaccination Credential Initiative is a voluntary coalition of public and private organizations committed to empowering individuals with access to a trustworthy and verifiable copy of their vaccination records in digital or paper form using open, interoperable standards.

The scope of the Vaccine Credential Initiative (VCI™) is to harmonize the standards and produce the implementation guides needed to support the issuance of verifiable health credentials - signed clinical data bound to an individual identity. The VCI does this by leading the development and implementation of the open-source SMART Health Card Framework and specifications.

VCI 2: Charter

The Vaccination Credential Initiative is a voluntary coalition of public and private organizations committed to empowering individuals with access to a trustworthy and verifiable copy of their vaccination records in digital or paper form using open, interoperable standards.

VCI 3: Scope

The scope of the Vaccination Credential Initiative (VCI™) is to harmonize the standards and support development of implementation guides needed to issue, share, and validate vaccination records bound to an individual identity.

VCI 4: Key Design Principles

  • Openness & Interoperability: based on international standards and open technologies and interoperable across countries and regions.
  • Transparency: operated in an open and transparent manner.
  • Privacy by Design: upholds and protects the privacy of individual health data and designed to comply with applicable data privacy regulations.
  • Flexible and Equitable: designed to adapt over time as the pandemic and science evolve. Accessible and usable by anyone worldwide in any language regardless of level of wealth and economic development, including availability in digital and paper (QR code) forms.

VCI 5: Smart Health Cards

  • Smart Health Cards: GitHub Gold!!! Technical documentation with details on security, privacy, and crypto protocols.

  • See large list of “member” organizations at VCI members

  • Technologies: W3C Verifiable Credentials, JSON Object Signing and Encryption (JOSE), Public-Key Cryptography, Secure Hashes, QR-Codes

PathCheck 1

Paper-first Vaccination Solutions

An equitable, efficient, open source and privacy preserving protocol by MIT.

PatchCheck 2: Tech

From Paper-first Verifiable Credentials URI Specification

The PathCheck Verifiable QR Specification is an extension of the W3C Verifiable Credentials Data Model expressed as a URI for the purposes of providing a standardized format of describing Verifiable Credentials within the constraints of the QR specification. This document describes the protocol to create Verifiable Credentials directly as URIs for space-limited alphanumeric-required applications, such as QR Codes, NFC tags and SMS Messages.

Rough Comparison

Initiative Data Model Container Crypto
PathCheck W3C VCs Custom/URI PKI

Final Topic/Abstract

An Introduction to emerging approaches to secure vaccine passports.

Abstract In this report we present a tutorial on secure privacy enhancing vaccine passports. Three emerging open efforts were reviewed and all were based on W3C’s verifiable credentials data model. We explain the data model from a security, privacy, and technology standpoint, illustrate its implementation by one initiative via JSON Web Tokens (JWTs) and public-key cryptography. In addition we review the technology behind JWTs and provide a high level review of QR codes that can be used in paper based scannable vaccine passports.

Introduction: Key Elements

  • Clear explanation of the topic and its importance
  • Relationship between this work and other papers including those in the references.
  • Explanation of how this work is “original”
  • Brief roadmap of the rest of the report

Report Main Sections

  • Introduction (already discussed)
  • Verifiable Credentials (explanation of the essence of data model highlighting security and privacy features)
  • Containers for Credentials (explanation of JWT technology and PKI)
  • What is and Why use QR codes with Verifiable Credentials
  • Conclusion and References

Verifiable Credentials

Learning Objectives

  • Students will be able to understand base64 encoding

  • Students will understand the role of JSON on the web and in conveying secured information

  • Students will gain a high level knowledge of JWS, JWE, JWT, and verifiable credentials

References Original Sources

References General

Verifiable Credentials Intro 1

From Verifiable Credentials Data Model 1.0 W3C

Credentials are a part of our daily lives; driver’s licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. These credentials provide benefits to us when used in the physical world, but their use on the Web continues to be elusive.

Verifiable Credentials Intro 2

From Verifiable Credentials Data Model 1.0 W3C

Currently it is difficult to express education qualifications, healthcare data, financial account details, and other sorts of third-party verified machine-readable personal information on the Web. The difficulty of expressing digital credentials on the Web makes it challenging to receive the same benefits through the Web that physical credentials provide us in the physical world.

This specification provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.

Physical Credentials 1

From Verifiable Credentials Data Model 1.0 W3Cs

In the physical world, a credential might consist of:

  • Information related to identifying the subject of the credential (for example, a photo, name, or identification number)

  • Information related to the issuing authority (for example, a city government, national agency, or certification body)

  • Information related to the type of credential this is (for example, a Dutch passport, an American driving license, or a health insurance card)

Physical Credentials 2

From Verifiable Credentials Data Model 1.0 W3C

  • Information related to specific attributes or properties being asserted by the issuing authority about the subject (for example, nationality, the classes of vehicle entitled to drive, or date of birth)

  • Evidence related to how the credential was derived

  • Information related to constraints on the credential (for example, expiration date, or terms of use).

Electronic Verifiable Credentials

From Verifiable Credentials Data Model 1.0 W3C

A verifiable credential can represent all of the same information that a physical credential represents. The addition of technologies, such as digital signatures, makes verifiable credentials more tamper-evident and more trustworthy than their physical counterparts.

Holders of verifiable credentials can generate verifiable presentations and then share these verifiable presentations with verifiers to prove they possess verifiable credentials with certain characteristics.

Credential Ecosystem

From Verifiable Credentials Data Model 1.0 W3C

Credential Ecosystem

Credential Formal Definition

From Verifiable Credentials Data Model 1.0 W3C

A set of one or more claims made by an issuer. A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. Verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verified. The claims in a credential can be about different subjects.

Verifiable Presentation

From Verifiable Credentials Data Model 1.0 W3C

A presentation is: Data derived from one or more verifiable credentials, issued by one or more issuers, that is shared with a specific verifier. A verifiable presentation is a tamper-evident presentation encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification.

Implementation Approaches

JSON Web Tokens

JSON Web Token is an Internet proposed standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.

JWT example

QR Codes

From QR Code: Wikipedia

A QR code (abbreviated from Quick Response code) is a type of matrix barcode invented in 1994 by the Japanese automotive company Denso Wave. A barcode is a machine-readable optical label that contains information about the item to which it is attached. In practice, QR codes often contain data for a locator, identifier, or tracker that points to a website or application.

QR Code Example

QR code generated with NPM: qrcode

QR Code Example
// reveal.js plugins