Comments (12)
Based on the press conference today, government issued ID is required for validation alongside the QR code, for those 19+.
https://www.youtube.com/watch?v=rjlfS18Z2bI&t=1142s
from healthgateway.
My understanding is that the QR code must be presented alongside photo ID to confirm it belongs to the user.
from healthgateway.
Based on https://spec.smarthealth.cards/#signing-health-cards, @tehshane, it appears that the public key is stored as part of /.well-known/jwks.json
via the issuer URL, which in BC's case is: https://smarthealthcard.phsa.ca/v1/issuer/.well-known/jwks.json
Within the same spec document, key rotation is left up to the issuer, but is recommended to be done on an annual basis: https://spec.smarthealth.cards/#key-management
from healthgateway.
Figured I'd be more productive moving the conversation from Twitter to here :)
As far as I can tell, the QR code has the user's name and birthday embedded in it, as well as vaccination date/location/lotNumber. The code is digitally signed by http://smarthealthcard.phsa.ca. FHIR standard is being used to transmit this information. https://hl7.org/fhir/
EDIT: For clarification, SMART Health Cards is the system being used to generate and sign the QR codes I believe. Data gets decoded into a FHIR JSON format when scanned.
from healthgateway.
Yep, there are tons of tools to validate and verify the format. Simple walkthrough here, useful code here.
The issue is that the generated, signed QR codes are long-lived tokens that can (and will) be shared to get unvaxxed friends into events, etc.
from healthgateway.
So the scanner app will show the name embedded in the QR, and the business will be required to cross-reference with government ID.
That's very slow but it'll work - assuming businesses don't just accept the "green checkmark" on a successful scan in situations where they are processing a lot of people. Like at sporting events.
"Oh, I forgot my ID, but look I'm vaccinated and already paid for my ticket, yes my name is definitely Joe Fakename"
Guess that's not a software problem though.
from healthgateway.
Yep, there are tons of tools to validate and verify the format. Simple walkthrough here, useful code here.
The issue is that the generated, signed QR codes are long-lived tokens that can (and will) be shared to get unvaxxed friends into events, etc.
Thank you for your input. The SHC standard is not meant to be a standalone verification. It requires the presence of a government issued ID to support the claims inside the signed payload. The verifier who does not compare these claims to ID is using the verification at their own subjective risk. This is documented in the SHC web site at: https://smarthealth.cards/faq.html#sharingInformation
from healthgateway.
At the risk of thread hijacking, is the public key that the JWS is signed with published anywhere?
Mostly out of personal curiosity, but also wondering if there are any contingencies in case the private key is ever leaked. I imagine the impact of cryptographically valid forgeries would be astronomical.
Is key rotation on the radar?
from healthgateway.
Based on https://spec.smarthealth.cards/#signing-health-cards, @tehshane, it appears that the public key is stored as part of
/.well-known/jwks.json
via the issuer URL, which in BC's case is: https://smarthealthcard.phsa.ca/v1/issuer/.well-known/jwks.jsonWithin the same spec document, key rotation is left up to the issuer, but is recommended to be done on an annual basis: https://spec.smarthealth.cards/#key-management
Excellent! I had tried a .well-known
URL, but did it under the wrong path. 😅
I appreciate the response, thank you!
from healthgateway.
At the risk of thread hijacking, is the public key that the JWS is signed with published anywhere?
Mostly out of personal curiosity, but also wondering if there are any contingencies in case the private key is ever leaked. I imagine the impact of cryptographically valid forgeries would be astronomical.
Is key rotation on the radar?
The public key is available as a well-known endpoint as per the Smart Health Card specifications. The private key is secured in vault and is as secure as any other use of public/private key pair or cert signing such as with TLS.
from healthgateway.
At the risk of thread hijacking, is the public key that the JWS is signed with published anywhere?
Mostly out of personal curiosity, but also wondering if there are any contingencies in case the private key is ever leaked. I imagine the impact of cryptographically valid forgeries would be astronomical.
Is key rotation on the radar?The public key is available as a well-known endpoint as per the Smart Health Card specifications. The private key is secured in vault and is as secure as any other use of public/private key pair or cert signing such as with TLS.
Interestingly the Smart Health Card Verifier (https://thecommonsproject.org/smart-health-card-verifier) appears to be looking the public key at https://smarthealthcard.phsa.ca/v1/issuer and failing the issuer verification as a result. Maybe something to check on.
from healthgateway.
The Smart Health Card Verifier app is not a verifier for the QR codes being returned from Health Gateway which is why it reports that the Issuer (PHSA) is not recognized.
At this point, I am going to close this issue as I believe that the original discussion has completed.
Thanks
from healthgateway.
Related Issues (11)
- Add project lifecycle badge HOT 1
- Broken link in docs HOT 1
- Getting 504 error when retrieving vaccine card HOT 2
- release only on Google play store HOT 11
- Save to Apple/Google Pay apps HOT 2
- Data Mismatch Error HOT 6
- Add missing topics
- No Support for Android 14 HOT 2
- Date of Birth formatting error on COVID-19 Vaccination Record HOT 1
- Trusted device name should use local info rather than authenticating device HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from healthgateway.