Vaccine cards can be shared between users about healthgateway HOT 12 CLOSED

Based on the press conference today, government issued ID is required for validation alongside the QR code, for those 19+.

https://www.youtube.com/watch?v=rjlfS18Z2bI&t=1142s

from healthgateway.

My understanding is that the QR code must be presented alongside photo ID to confirm it belongs to the user.

from healthgateway.

Based on https://spec.smarthealth.cards/#signing-health-cards, @tehshane, it appears that the public key is stored as part of /.well-known/jwks.json via the issuer URL, which in BC's case is: https://smarthealthcard.phsa.ca/v1/issuer/.well-known/jwks.json

Within the same spec document, key rotation is left up to the issuer, but is recommended to be done on an annual basis: https://spec.smarthealth.cards/#key-management

from healthgateway.

Figured I'd be more productive moving the conversation from Twitter to here :)

As far as I can tell, the QR code has the user's name and birthday embedded in it, as well as vaccination date/location/lotNumber. The code is digitally signed by http://smarthealthcard.phsa.ca. FHIR standard is being used to transmit this information. https://hl7.org/fhir/

EDIT: For clarification, SMART Health Cards is the system being used to generate and sign the QR codes I believe. Data gets decoded into a FHIR JSON format when scanned.

from healthgateway.

Yep, there are tons of tools to validate and verify the format. Simple walkthrough here, useful code here.

The issue is that the generated, signed QR codes are long-lived tokens that can (and will) be shared to get unvaxxed friends into events, etc.

from healthgateway.

So the scanner app will show the name embedded in the QR, and the business will be required to cross-reference with government ID.

That's very slow but it'll work - assuming businesses don't just accept the "green checkmark" on a successful scan in situations where they are processing a lot of people. Like at sporting events.

"Oh, I forgot my ID, but look I'm vaccinated and already paid for my ticket, yes my name is definitely Joe Fakename"

Guess that's not a software problem though.

from healthgateway.

Yep, there are tons of tools to validate and verify the format. Simple walkthrough here, useful code here.

The issue is that the generated, signed QR codes are long-lived tokens that can (and will) be shared to get unvaxxed friends into events, etc.

Thank you for your input. The SHC standard is not meant to be a standalone verification. It requires the presence of a government issued ID to support the claims inside the signed payload. The verifier who does not compare these claims to ID is using the verification at their own subjective risk. This is documented in the SHC web site at: https://smarthealth.cards/faq.html#sharingInformation

from healthgateway.

At the risk of thread hijacking, is the public key that the JWS is signed with published anywhere?

Mostly out of personal curiosity, but also wondering if there are any contingencies in case the private key is ever leaked. I imagine the impact of cryptographically valid forgeries would be astronomical.

Is key rotation on the radar?

from healthgateway.

Based on https://spec.smarthealth.cards/#signing-health-cards, @tehshane, it appears that the public key is stored as part of /.well-known/jwks.json via the issuer URL, which in BC's case is: https://smarthealthcard.phsa.ca/v1/issuer/.well-known/jwks.json

Within the same spec document, key rotation is left up to the issuer, but is recommended to be done on an annual basis: https://spec.smarthealth.cards/#key-management

Excellent! I had tried a .well-known URL, but did it under the wrong path. 😅

I appreciate the response, thank you!

from healthgateway.

At the risk of thread hijacking, is the public key that the JWS is signed with published anywhere?

Mostly out of personal curiosity, but also wondering if there are any contingencies in case the private key is ever leaked. I imagine the impact of cryptographically valid forgeries would be astronomical.

Is key rotation on the radar?

The public key is available as a well-known endpoint as per the Smart Health Card specifications. The private key is secured in vault and is as secure as any other use of public/private key pair or cert signing such as with TLS.

from healthgateway.

At the risk of thread hijacking, is the public key that the JWS is signed with published anywhere?
Mostly out of personal curiosity, but also wondering if there are any contingencies in case the private key is ever leaked. I imagine the impact of cryptographically valid forgeries would be astronomical.
Is key rotation on the radar?

The public key is available as a well-known endpoint as per the Smart Health Card specifications. The private key is secured in vault and is as secure as any other use of public/private key pair or cert signing such as with TLS.

Interestingly the Smart Health Card Verifier (https://thecommonsproject.org/smart-health-card-verifier) appears to be looking the public key at https://smarthealthcard.phsa.ca/v1/issuer and failing the issuer verification as a result. Maybe something to check on.

from healthgateway.

The Smart Health Card Verifier app is not a verifier for the QR codes being returned from Health Gateway which is why it reports that the Issuer (PHSA) is not recognized.

At this point, I am going to close this issue as I believe that the original discussion has completed.

Thanks

from healthgateway.