I think this assumes that the system needs to be more robust than the current system, by a lot, plus also gain privacy. What I’m saying is that (1) yes we could do both if we cared enough, in theory, because we have proof by example but also (2) we don’t need that level of robustness. We need something harder to fake than a Fake ID, where the QR code doesn’t reveal who you are, so you can’t be tracked beyond the existing ability to track cell phones.
There’s a trade-off of security vs. privacy for sure, but right now the existing systems are lousy at best on both.
What’s the example you’re thinking of? I’m sorry if you mentioned it before and I missed it.
We need something harder to fake than a Fake ID, where the QR code doesn’t reveal who you are, so you can’t be tracked beyond the existing ability to track cell phones.
If I understand correctly, you don’t want the QR code to prove that “John Doe, ID #123456789, is vaccinated” and then have the verifier ask to see a separate, pre-existing ID that shows you’re John Doe. Which is how the actual and proposed vaccination passports in Israel and some of the EU work. (Hence I don’t know what example you’re thinking of.)
Instead you want the QR code to prove that “the bearer of this code is vaccinated”. That implies the code must be secret and not trivially shareable between many different people. But copying images and taking screenshots is trivial. So the code must not be a single permanent QR per person, but generated by the application: either frequently replaced (like OTP) or on-demand (challenge-response protocol).
This could work if installing or activating the app required approval from a central database / service. This approach has difficulties I noted before, including proving to the app you’re you, and multiple activations. And it still lets the app owner track you, since the app stays active.
I think this assumes that the system needs to be more robust than the current system, by a lot, plus also gain privacy. What I’m saying is that (1) yes we could do both if we cared enough, in theory, because we have proof by example but also (2) we don’t need that level of robustness. We need something harder to fake than a Fake ID, where the QR code doesn’t reveal who you are, so you can’t be tracked beyond the existing ability to track cell phones.
There’s a trade-off of security vs. privacy for sure, but right now the existing systems are lousy at best on both.
What’s the example you’re thinking of? I’m sorry if you mentioned it before and I missed it.
If I understand correctly, you don’t want the QR code to prove that “John Doe, ID #123456789, is vaccinated” and then have the verifier ask to see a separate, pre-existing ID that shows you’re John Doe. Which is how the actual and proposed vaccination passports in Israel and some of the EU work. (Hence I don’t know what example you’re thinking of.)
Instead you want the QR code to prove that “the bearer of this code is vaccinated”. That implies the code must be secret and not trivially shareable between many different people. But copying images and taking screenshots is trivial. So the code must not be a single permanent QR per person, but generated by the application: either frequently replaced (like OTP) or on-demand (challenge-response protocol).
This could work if installing or activating the app required approval from a central database / service. This approach has difficulties I noted before, including proving to the app you’re you, and multiple activations. And it still lets the app owner track you, since the app stays active.
What approach are you thinking of?