Hacker News new | ask | show | jobs
by deanclatworthy 1727 days ago
Can someone tell me how the verification works?

From what I understand the data is signed. So someone has the key? Who controls the keys? We have an EU wide passport so are governments sharing the keys? There is an app for validating the codes in some countries so is that happening by hitting an API or are the keys in the apps?

What I’m getting at here is how are they validating keys without leaking the keys used to sign?
4 comments
jonathonlui 1727 days ago
In the USA, some states (including California) and private health care providers are using something called Smart Health Card [0] which is a signed JWT using public/private keys.

It's up to each verifier (e.g. phone app developers) to decide which issuers to trust but there's a list: https://www.commontrustnetwork.org/verifier-list.

[0] https://smarthealth.cards/

link
morvita 1727 days ago
In Canada, British Columbia is using the SMART Health Card as well. Don't know if any of the other provinces are.
link
gnabgib 1726 days ago
BC are QC are.. but they're terrible PII privacy leaks (unprotected legal name/DOB/vaccination record). It violates the health canada privacy act[0]:

> "The Act protects an individual's privacy by setting out provisions related to the collection, retention, accuracy, disposal, use and disclosure of personal information."

and the privacy act [1]

> "(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,

> (b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,"

Hopefully they adjust accordingly.

[0]: https://www.canada.ca/en/health-canada/corporate/about-healt...

[1]: https://laws-lois.justice.gc.ca/eng/acts/P-21/FullText.html

link
mqus 1727 days ago
just a pretty standard certificate hierarchy, in germany the pharmacies can sign your information (when given your paper vaccination pass) and give you a QR Code, or you get it right when you get vaccinated. Obviously those are then the weak points and afaik there are ~25 root(/revocable?) keys for germany alone. Contained in the QR code are your name, DOB and which vaccinations you already got. So the QR code is only valid together with your Photo ID.

> What I’m getting at here is how are they validating keys without leaking the keys used to sign?

Public and private keys. Pharmacies and doctors have control over private keys/keys signed by the "root" keys. The checking app has the public keys and can check if the signature of the data is valid (matches the data and the private keys).

link
deanclatworthy 1726 days ago
This isn’t secure re: your last point. If every country in Europe has numerous private keys it’s inevitable they’re leaked and used to sign fake vaccine passes.
link
mqus 1721 days ago
They have numerous private keys precisely because of leakage risk. In that case only one (or two) of them will get leaked (and then hopefully revoked), leaving the others intact.
link
andylynch 1726 days ago
It’s public key based - the health authorities use their private keys to sign, and the EU has a gateway service which gives validation app the public keys. Details and GitHub link -> https://ec.europa.eu/info/news/eu-digital-covid-certificate-...
link
jeromegv 1727 days ago
It's not signed (yet) in Alberta. It's a PDF with vaccine data on it.
link