RE: Digital Vaccination Certificates -- Here Be Dragons!

Hi Oliver,

I anticipate providing a concrete answer later this month after we analyze and verify the results of our next cross-platform / cross-vendor interop plug-fest.

As you know, a hard contractual requirement for our 8 portfolio companies who are working with DID/VC ecosystem tech is to truly demonstrate interoperability (rather than self-attest to standards/interop) across their very diverse implementations.

The feature-sets we are focused on this time include what we already proved back in May 2020 ( https://lists.w3.org/Archives/Public/public-credentials/2020Jun/0100.html ) + verifiable credential aggregation using verifiable presentation, revocation with herd privacy, and much more which REQUIRES us to show that the choices we make work for real across diverse platforms/tech-stacks.

I prefer to share those real results, when we have them, rather than make paper/marketing statements that cannot be backed up by reality.

Best Regards,

Anil


From: Oliver Terbu <oliver.terbu@mesh.xyz>
Sent: Monday, March 1, 2021 7:46 AM
To: Adrian Gropper <agropper@healthurl.com>
Cc: John, Anil <anil.john@hq.dhs.gov>; public-credentials@w3.org
Subject: Re: Digital Vaccination Certificates -- Here Be Dragons!

CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.

Thank you very much for sharing and I'm glad to see the community is getting more aligned.

The slides are great but could you please provide an example of a W3C Verifiable Presentation (VP). I'm interested where you landed there technology-wise. Many people might be interested in how holder-binding is achieved. There are two popular approaches I did observe in our community:
- Linked Secrets
- DID Auth (using one of the authentication keys from the DID Doc in the VP proof)

If it is Linked Secrets I would be really interested in an implementation of using BBS+ for VPs that have holder binding and I'm also interested in the data model that is used for the proof in the VP.

Thanks,
Oliver

On Sat, Feb 27, 2021 at 9:43 PM Adrian Gropper <agropper@healthurl.com<mailto:agropper@healthurl.com>> wrote:
Let's heed Bruce Lee while considering the REQUIRED constraints.

A vaccine certificate is a human right. Making them accessible to everyone regardless of their fear of technology or government protects us all.

Can we stipulate that various credential formats will be coded as standard VCs and that paper cards are private and accessible enough?

Can we stipulate that issuers and verifiers benefit from technology much more than the subjects? They are getting paid, are licensed, maybe federated, and depend on efficiency to stay competitive. In the case of vaccines, at least, standards are a pure win for the issuers and verifiers.

The question then becomes: What is the digital infrastructure "good enough" to meet these constraints?

  *   Who will fund this human right infrastructure?
  *   Will this infrastructure also deal with COVID testing on day one?
  *   Do subjects need a digital identity on day one or can we link vaccines (and tests) to legacy (paper) credentials?
- Adrian



On Sat, Feb 27, 2021 at 2:07 PM John, Anil <anil.john@hq.dhs.gov<mailto:anil.john@hq.dhs.gov>> wrote:
I am watching with dismay the swirling whirlpool of confusion that is being driven by a combination of good intentions, desperation, competing interests and self-interest around the domain of Digital Vaccination Certificates.

I do not work for a public health agency, so have no perspective, remit or authorities when it comes to the authoritativeness of the data and the specific elements that would need to feed a digital VaxCert representation.  I defer to the experts at our U.S. CDC and the WHO that have this remit to inform and influence this in a manner that incorporates the broadest possible public interest equities.

However, as you all know, we have done extensive public work (5+ years and counting to date) to ensure that technical implementations of solutions that could support digital VaxCerts (and many other things) are not developed in manner that enables “walled gardens” or closed technology platforms that do not support common standards for security, privacy, and data exchange.  In particular, as a potential future consumer of digital VaxCerts, we have a vested interest in ensuring the global interoperability of such solutions.

Over the last number of months we have been bombarded with a singular question “What are the lessons learned or feedback you could share from your interoperability journey that *may* be relevant here?”

The answer to this in general has three aspects:

  1.  Expect and anticipate breakage, but don’t let the perfect be the enemy of the good
  2.  Everyone is not going to get everything they want right now
  3.  Real interoperability REQUIRES constraints!

Because I believe that this is an important conversation, I figure I would put together some high level slideware that synthesizes and shares the answers I have provided directly to those who have asked.  I am not in the hearts and minds business, so consider this in the spirit of the quote from Bruce Lee – “Absorb what is useful, Discard what is not, Add what is uniquely your own.”

Happy to chat to share our mistakes, so that you don’t need to repeat them, with those who have a public interest focus in this area.

Best Regards,

Anil

Anil John
Technical Director, Silicon Valley Innovation Program
Science and Technology Directorate
US Department of Homeland Security
Washington, DC, USA

Email Response Time – 24 Hours

[https://www.dhs.gov/science-and-technology/svip]