RE: California Digital Vaccine Record based on VCs

I agree with Kaliya’s assessment. I also agree that reading the comments in the GitHub, while lengthy, are very informative – essentially, “we could follow the standards but we just don’t have time for that now.”
In addition, they “punted” on offering any governance framework or identity binding.
There have also been substantive discussions in the GHP working groups about QR codes – Canada drafted a position paper on QR codes and privacy that makes the standard of compliance a non-trivial effort.
Speaking from the Health IT perspective, the Smart Health Cards framework is also in development, meaning it’s not an HL7-balloted Implementation Guide.

Best regards,
Jim St.Clair
Chief Trust Officer<> | 228-273-4893
Let’s meet to discuss patient identity exchange:

From: Kaliya IDwoman <>
Sent: Saturday, June 19, 2021 8:27 PM
To: Heather Vescent <>
Cc: W3C Credentials CG (Public List) <>
Subject: Re: California Digital Vaccine Record based on VCs

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Well the are sort of VCs.
But if you talk with Manu he can explain that despite being developed primarily by Josh Mandel at MSFT - its not even conformant with the Identity side of MSFT's version of JSON-JWTs.

The other big issue with their format and modality is that they are coming from Health Care IT  - where they move around patient records between HIPAA protected entities. They are used to sharing a lot of data with entities about people and literally never worrying about privacy issue related to how much data is disclosed or even considering how you might empower citizens to withhold some information - with all the work we have done on Selective Disclosure capabilities - they were not interested in at all.

They format is also QR code oriented and QR codes that are signed and shared are "the document" - the Verifiable Credential - rather then a proof of position as we have worked so hard on with the VErifiable Presentation format that proves you own the thing - but doesn't give the actual thing to the verifier.

If you want to entertain yourself reading through closed issues where folks in our communities raised issues with VCI - I recommend it.

Based on feedback and a write up by John Jordan submitted into the Good Health Pass working group at ToIP I began a document "The Dangers of Using QR Codes for Data About People"

I'll share a link - its not complete but the meet of the article is there

On Fri, Jun 18, 2021 at 10:09 AM Heather Vescent <<>> wrote:
May be of interest:

SMART Health Card Framework:

To achieve this purpose, the founding members of VCI™ have collaborated to develop (1) the SMART Health Cards Framework Implementation Guide based on the World Wide Web Consortium (W3C) Verifiable Credential and Health Level 7 (HL7) SMART on FHIR standards, and (2) the SMART Health Cards: Vaccination & Testing Implementation Guide.

If you are in California, you can get your vaccine record here:

(The system seems delayed for me.)

Heather Vescent<>
Co-Chair, Credentials Community Group @W3C<>
President, The Purple Tornado, Inc<>
Author, The Secret of Spies<>
Author, The Cyber Attack Survival Manual<>
Author, A Comprehensive Guide to Self Sovereign Identity<>

@heathervescent<> | Film Futures<> | Medium<> | LinkedIn<> | Future of Security Updates<>

Received on Monday, 21 June 2021 19:42:05 UTC