A QR code can be placed upon a piece of paper, and those without a phone can carry the piece of paper, the same way we can carry the vaccination card now except with a less trivial duplication/fraud problem. It’s not a meaningful objection.
You seem to assume a user would print out a QR code from e.g. a website at home and then carry it around. It would need to be valid for at least a day, and to be re-usable for multiple verifications. This could make it harder to build a secure system with the same guarantees as you might get from very short lived tokens (OTP style). I don’t think you should dismiss this out of hand.
It also rules out a challenge/response system between the verifier and the app, which might be useful for some designs.
the QR code can just have a cryptographically signed attestation from a government agency that the person has been vaccinated. that can be verified by an app which does not need to communicate with a central authority. if the authority released the corresponding public keys, open source apps could do the job. and the vaccination doesn’t expire, so the code doesn’t need to. (but perhaps you could include some vaccine lot number info if you’re super excited about such things, so apps could know about bad batches? that’s probably not worth the effort to discuss.)
the hard part is figuring out who to attest has been vaccinated, and what information you can cram into the attestation which will satisfy people viewing the QR code. (an entire photo wouldn’t fit.)
the vaccination doesn’t expire, so the code doesn’t need to
If a person receives a static, permanent QR code, then some QRs will leak (or be deliberately leaked) and will be used en masse. And some QRs will be given out to friends and family.
With permanent codes, the application presenting the QR can’t prove it’s the genuine application, so people could just as easily show an image.
That also lets everyone share QR codes easily (i.e. without being tech savvy or investing effort) - just use your phone’s screenshot function while the real app is open. And whoever verifies the QR code can also reproduce it.
This is the lowest possible level of security. Saying that such an un-trustworthy system creates net positive value for society requires some serious proof, which I haven’t seen.
Including photos in the QR is possible; a B&W photo would fit. If you want to include more data, you can put a copy of the photo online (so that the verifier can pull the exact file) and sign its hash and URL as part of the QR token. Or use NFC to transmit the (signed) photo. Or use several QRs displayed in succession. QR bandwidth is surprisingly high. However, using photos raises other questions, such as what about all the people the government doesn’t have official or up-to-date photos of (and see also my other top level reply).
If a person receives a static, permanent QR code, then some QRs will leak (or be deliberately leaked) and will be used en masse. And some QRs will be given out to friends and family.
...who cares? The QR code contains a cryptographically signed attestion that “DanArmak” is vaccinated. Not “whoever displays this code is vaccinated”. You only need a program for decoding it, and verifying the signature against the signing keys from states.
Photocopying them would be only slightly more useful than photocopying somebody else’s drivers license. Sure, if they’ve got the same name or look just like you, they can use it, but if I photocopy my drivers license and put it online, there’s not a lot of people who could reasonably pass as me.
With permanent codes, the application presenting the QR can’t prove it’s the genuine application, so people could just as easily show an image.
You absolutely do not need anything to display it, you could print it out on paper. The genuine-ness comes from the cryptographic signature.
Saying that such an un-trustworthy system
It’s extremely trustworthy, but unfortunately the mechanism of trust isn’t clear until you understand public key cryptography.
Including photos in the QR is possible; a B&W photo would fit. If you want to include more data, you can put a copy of the photo online
The whole point of the suggestion was a scheme which was not traceable. That means not fetching people’s pictures.
QR bandwidth is surprisingly high.
I understand how QR codes work just fine, but being on a piece of paper in somebody’s wallet, we’ve got to turn the ECC up to max, and I’ve also got an estimate for the size of the rest of the data that needs to go in there in order to make it useful.
The mechanism doesn’t need to be perfect, it’ll just mostly work, and this one also perfectly preserves privacy. (It can also be tweaked and tuned in a variety of ways which I’m not going to take the effort to explain to a non-software engineer.)
We’re talking past one another, trying to solve different problems. I’m a software engineer by profession and I understand how public-key cryptography works. I also assumed you were not a software engineer because your comment didn’t make sense for the problem as I understand it.
The QR code contains a cryptographically signed attestion that “DanArmak” is vaccinated. Not “whoever displays this code is vaccinated”.
That works fine, and is the system used in Israel and proposed in some EU countries. But it’s not what I understand Zvi to be arguing for.
Zvi wants a system which doesn’t let verifiers identify the person in front of them, only learn that they’re vaccinated. He clarifies this in this comment.
If the QR proves “DanArmak is vaccinated”, then I also need to prove I’m DanArmak. E.g. by displaying a state ID. This lets verifiers track me, simply because they learn who I am and businesses regularly sell or share data on customers / visitors. The application verifying the QR codes can make this even easier—most businesses install the same verifier application, and it uploads info about the people whose IDs it verifies. IIUC, the US doesn’t have any privacy laws that would forbid private entities from such collading, tracking, and selling such data, even without disclosure.
To clarify—the most humane, least risky use case that would satisfy these desiderata would be have a modular system where we
Verify off-site that DanArmak is vaccinated (or has allergies, or a heart condition, or is immunocompromised)
Verify on-site that you’re DanArmak
Give the user the option of sharing information with the state or local health department so they can contact you or your physician about virus exposure (not just covid), food poisoning, whatever.
This could be widely adapted to a variety of situations, depending on how rigorous one wants to be about verifying someone’s ID.
If we DO stick with apps, the best approach might be to give everyone a QR code (including those who haven’t gotten vaccinated or tested). Separately, provide multiple options for verifying the codes (strict verification of ID, census of how many people are vaccinated once capacity is exceeded, etc)
Looks like some people may already be moving in this direction.
Right, so whatever direction we go with this, it’s really important that the application be open source, as Jeffrey Zients has suggested, so that businesses can add on security features that identify the person.
My thoughts exactly. What a QR Code could do is to store names, and perhaps the dates they got the vaccine. If people have time to check photos, then they might as well do so on any photographic ID, whose name matches the one on the QR Code, and which is shown together with the QR code wherever that’s relevant.
You seem to assume a user would print out a QR code from e.g. a website at home and then carry it around. It would need to be valid for at least a day, and to be re-usable for multiple verifications. This could make it harder to build a secure system with the same guarantees as you might get from very short lived tokens (OTP style). I don’t think you should dismiss this out of hand.
It also rules out a challenge/response system between the verifier and the app, which might be useful for some designs.
the QR code can just have a cryptographically signed attestation from a government agency that the person has been vaccinated. that can be verified by an app which does not need to communicate with a central authority. if the authority released the corresponding public keys, open source apps could do the job. and the vaccination doesn’t expire, so the code doesn’t need to. (but perhaps you could include some vaccine lot number info if you’re super excited about such things, so apps could know about bad batches? that’s probably not worth the effort to discuss.)
the hard part is figuring out who to attest has been vaccinated, and what information you can cram into the attestation which will satisfy people viewing the QR code. (an entire photo wouldn’t fit.)
If a person receives a static, permanent QR code, then some QRs will leak (or be deliberately leaked) and will be used en masse. And some QRs will be given out to friends and family.
With permanent codes, the application presenting the QR can’t prove it’s the genuine application, so people could just as easily show an image.
That also lets everyone share QR codes easily (i.e. without being tech savvy or investing effort) - just use your phone’s screenshot function while the real app is open. And whoever verifies the QR code can also reproduce it.
This is the lowest possible level of security. Saying that such an un-trustworthy system creates net positive value for society requires some serious proof, which I haven’t seen.
Including photos in the QR is possible; a B&W photo would fit. If you want to include more data, you can put a copy of the photo online (so that the verifier can pull the exact file) and sign its hash and URL as part of the QR token. Or use NFC to transmit the (signed) photo. Or use several QRs displayed in succession. QR bandwidth is surprisingly high. However, using photos raises other questions, such as what about all the people the government doesn’t have official or up-to-date photos of (and see also my other top level reply).
...who cares? The QR code contains a cryptographically signed attestion that “DanArmak” is vaccinated. Not “whoever displays this code is vaccinated”. You only need a program for decoding it, and verifying the signature against the signing keys from states.
Photocopying them would be only slightly more useful than photocopying somebody else’s drivers license. Sure, if they’ve got the same name or look just like you, they can use it, but if I photocopy my drivers license and put it online, there’s not a lot of people who could reasonably pass as me.
You absolutely do not need anything to display it, you could print it out on paper. The genuine-ness comes from the cryptographic signature.
It’s extremely trustworthy, but unfortunately the mechanism of trust isn’t clear until you understand public key cryptography.
The whole point of the suggestion was a scheme which was not traceable. That means not fetching people’s pictures.
I understand how QR codes work just fine, but being on a piece of paper in somebody’s wallet, we’ve got to turn the ECC up to max, and I’ve also got an estimate for the size of the rest of the data that needs to go in there in order to make it useful.
The mechanism doesn’t need to be perfect, it’ll just mostly work, and this one also perfectly preserves privacy. (It can also be tweaked and tuned in a variety of ways which I’m not going to take the effort to explain to a non-software engineer.)
We’re talking past one another, trying to solve different problems. I’m a software engineer by profession and I understand how public-key cryptography works. I also assumed you were not a software engineer because your comment didn’t make sense for the problem as I understand it.
That works fine, and is the system used in Israel and proposed in some EU countries. But it’s not what I understand Zvi to be arguing for. Zvi wants a system which doesn’t let verifiers identify the person in front of them, only learn that they’re vaccinated. He clarifies this in this comment.
If the QR proves “DanArmak is vaccinated”, then I also need to prove I’m DanArmak. E.g. by displaying a state ID. This lets verifiers track me, simply because they learn who I am and businesses regularly sell or share data on customers / visitors. The application verifying the QR codes can make this even easier—most businesses install the same verifier application, and it uploads info about the people whose IDs it verifies. IIUC, the US doesn’t have any privacy laws that would forbid private entities from such collading, tracking, and selling such data, even without disclosure.
To clarify—the most humane, least risky use case that would satisfy these desiderata would be have a modular system where we
Verify off-site that DanArmak is vaccinated (or has allergies, or a heart condition, or is immunocompromised)
Verify on-site that you’re DanArmak
Give the user the option of sharing information with the state or local health department so they can contact you or your physician about virus exposure (not just covid), food poisoning, whatever.
This could be widely adapted to a variety of situations, depending on how rigorous one wants to be about verifying someone’s ID.
If we DO stick with apps, the best approach might be to give everyone a QR code (including those who haven’t gotten vaccinated or tested). Separately, provide multiple options for verifying the codes (strict verification of ID, census of how many people are vaccinated once capacity is exceeded, etc)
Looks like some people may already be moving in this direction.
https://github.com/joelbcastillo/CS6903-Vaccine-Passport-Checker/tree/main/src/CS6903-Vaccine-Passport-Checker
Again, easier to implement if the software is open source.
Right, so whatever direction we go with this, it’s really important that the application be open source, as Jeffrey Zients has suggested, so that businesses can add on security features that identify the person.
My thoughts exactly. What a QR Code could do is to store names, and perhaps the dates they got the vaccine. If people have time to check photos, then they might as well do so on any photographic ID, whose name matches the one on the QR Code, and which is shown together with the QR code wherever that’s relevant.