W3C home > Mailing lists > Public > public-credentials@w3.org > September 2020

Re: covid-19 immunisation record as a pair of VC - does anyone have an example?

From: Steve Capell <steve.capell@gmail.com>
Date: Fri, 11 Sep 2020 16:32:49 +1000
Message-Id: <4F839703-7C23-4C49-BAD1-8B2FF45CDD26@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
To: Jeremy Townson <jeremy.townson@gmail.com>
Both interesting ideas

On the first point I can imagine an app where the physician scans the passport with embedded chip using nfc - which would bind to name, dob, passport number, and facial biometric.  Just name and dob could work but is a bit riskier to match to the traveller at arrival smart gate 

On the second point, it’s a very interesting idea.  How would that vaccine supplier credential get linked at the point of delivery by the physician ? Scan some QR code on the pack of meds ?

Steven Capell
Mob: 0410 437854

> On 11 Sep 2020, at 12:57 am, Jeremy Townson <jeremy.townson@gmail.com> wrote:
> 
> 
> Hi Steve,
> 
> A couple of things I noted about your approach:
> 
> > That the identifiable subject DID-X...
> It is arguably better not to use a DID here. The presence of the DID will bind the credential to a specific wallet/device, which could conceivably invalidate the credential in scenarios where it is in fact valid. 
> The important binding seems to be to the individual who has been vaccinated and the best way to do that is probably to use the full name and date of birth. The reason for that is name/dob is an identifier commonly used in a medical setting. A passport number might be useful, especially given the verifier app you sketch out, however, it might also be impractical because, in general, doctors do not hold their patient's passport numbers.
> 
> > VC-2: That physician DID-Y is accredited...
> Have you considered instead a second credential issued by the supplier of the vaccine? This could then also contain specific details of the vaccine itself -- strain, date of production, etc. Effectively, the border force has to then configure the specific vaccine/suppliers which they accept. You want to handle the edge case where a qualified doctor administers a vaccine that does not work.
> 
> Regards,
> Jeremy Townson
> 
> 
> On Thu, 10 Sep 2020 at 00:58, steve capell <steve.capell@gmail.com> wrote:
>> Hi team,
>> 
>> I'm working on an example of a covid-19 immunisation record for cross-border travellers and wondered if anyone had an example.
>> 
>> For the VC to be acceptable as proof to the arrival country, i think there would need to be two separate proofs:
>> VC-1: That the identifiable subject DID-X (with passport number 123) was vaccinated by physician issuer DID-Y
>> VC-2: That physician DID-Y is accredited by authority well-known-domain-Z
>> Verifier process would be something like 
>> confirm holder is the subject (check /scan passport)
>> confirm subject is vaccinated (VC-1)
>> use issuer DID-Y to discover VC-2
>> confirm issuer is accredited by an authority trusted by the arrival border control (typically a .gov domain in the issuing country)
>> will do an example of this with an SG govt style open attestation - maybe with oracle as issuer approach.  would be nice to do another one with W3C VC - maybe with the trust chain discovery approach.
>> 
>> thoughts?  
>> 
>> kind regards,
>> 
>> -- 
>> Steve Capell
>> 

Received on Friday, 11 September 2020 06:33:05 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:03 UTC