Re: EU Health sertificates

Calling home is a fail from the start. Even ZKP may be hard to explain to
suspicious folks.

The point of my proposal is separation of concerns so you only need to
justify the specific, incremental technologies and governance issues as you
need to add them. Paper credentials and paper drivers licenses as
infrastructure do that pretty well. VC can add to that and avoid forgery
without compromising the separation of concerns.

Adrian

On Fri, May 7, 2021 at 10:46 AM Jim St.Clair <jim.stclair@lumedic.io> wrote:

> The credential structure (last I checked) lacked ZKP/selective disclosure
> and required the VC to “phone home” for each instance, creating the pattern
> of identifiability noted below (if I’m wrong, feel free to note it)
>
>
>
>
>
> Best regards,
>
> Jim
>
> *_______________*
>
>
>
> *Jim St.Clair *
>
> Chief Trust Officer
>
> jim.stclair@lumedic.io | 228-273-4893
>
> *Let’s meet to discuss patient identity exchange*:
> https://calendly.com/jim-stclair-1
>
>
>
> *From:* Adrian Gropper <agropper@healthurl.com>
> *Sent:* Friday, May 7, 2021 9:45 AM
> *To:* Jim St.Clair <jim.stclair@lumedic.io>
> *Cc:* Credentials CG <public-credentials@w3.org>; Snorre Lothar von
> Gohren Edwin <snorre@diwala.io>
> *Subject:* Re: EU Health sertificates
>
>
>
> @Jim, what’s the same problem?
>
>
>
> On Fri, May 7, 2021 at 9:35 AM Jim St.Clair <jim.stclair@lumedic.io>
> wrote:
>
> The problem Adrian describes is the same problem with the proposed
> structure of the current VCI Smarthealth.cards model too, which has support
> from the largest Health IT vendors…
>
>
>
> Best regards,
>
> Jim
>
> *_______________*
>
>
>
> *Jim St.Clair *
>
> Chief Trust Officer
>
> jim.stclair@lumedic.io | 228-273-4893
>
> *Let’s meet to discuss patient identity exchange*:
> https://calendly.com/jim-stclair-1
>
>
>
> *From:* Snorre Lothar von Gohren Edwin <snorre@diwala.io>
> *Sent:* Friday, May 7, 2021 5:23 AM
> *To:* Adrian Gropper <agropper@healthurl.com>
> *Cc:* Credentials CG <public-credentials@w3.org>
> *Subject:* Re: EU Health sertificates
>
>
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> Interesting, thanks for sharing!
>
>
>
> If anyone else has some thoughts on this I would love to hear them!
>
> ᐧ
>
>
>
> On Thu, May 6, 2021 at 6:07 PM Adrian Gropper <agropper@healthurl.com>
> wrote:
>
> It's the same issue you have if you show your drivers license to 10 bars.
> Can you be sure the verifier isn't taking and storing photos with a
> surveillance camera (they almost always are)? There's no need for the
> verifier in #1 to call "home" or store anything if all they want to check
> is the authenticity of the credential but managing ambient surveillance is
> a completely different issue unrelated to the purpose of the VC.
>
>
>
> See https://github.com/w3c/did-use-cases/pull/140 for a threads on
> Ambient Surveillance.
>
>
>
> - Adrian
>
>
>
> On Thu, May 6, 2021 at 11:11 AM Snorre Lothar von Gohren Edwin <
> snorre@diwala.io> wrote:
>
> No, #1 is also what I have suggested, but I just need to make sure my
> arguments are sound 😅
>
> But it still does not avoid correlatebility on ID, if that even is a
> problem? Meaning I use my paper cert at 10 places, and I can be pinned to
> 10 places. Is that a privacy/correlatebility/tracking issue?
>
> ᐧ
>
> ᐧ
>
>
>
> On Thu, May 6, 2021 at 4:40 PM Adrian Gropper <agropper@healthurl.com>
> wrote:
>
> Hi Snorre,
>
>
>
> There are many tech enhancements that can be applied in any of the 10
> concerns. My goal was not perfection but rather a framing for how to talk
> about the 10 concerns as separately as possible.
>
>
>
> For example, is there any major reason not to do #1?
>
>
>
> - Adrian
>
>
>
> On Thu, May 6, 2021 at 7:20 AM Snorre Lothar von Gohren Edwin <
> snorre@diwala.io> wrote:
>
> Has there been any thoughts of flows for how this could work? Like this
> one?
>
>
>
> A solution without pairings, where one can give a range-proof for date.
> online registration with FHI(Norwegian trusted authority):
> 1. commit to ID, validity period, and status "protected"
> 2. ZK proof of known opening
> 3. FHI signs commitment
> 4. build this into QR
> 5. print certificate
> offline verification by player:
> 1. scan QR
> 2. check signature
> 3. check ZK proof
> 4. check ID
> 5. approve / reject
>
> ᐧ
>
>
>
> On Thu, May 6, 2021 at 1:13 PM Snorre Lothar von Gohren Edwin <
> snorre@diwala.io> wrote:
>
> Thanks Adrian!
>
>
>
> In terms of this:
>
> "4. Privacy
>
> Patients can be vaccinated anonymously while still producing authentic
> credentials as described in #1-3 above. However, being able to track
> patients across time provides valuable additional information. This
> includes the emergence of variants, vaccine efficacy in various contexts,
> side-effects, and long-term health impact.  Technology for tracking people
> across time while preserving privacy is already deployed to assist with
> contact tracing. The de-identified individuals can only be tracked with
> their informed authorization. Privacy-by-default tracking as a feature of
> digital credentials is practical given planning and coordination."
>
>
>
> How do you keep privacy when you start discussing ID correlation over
> time? If you use this piece of paper that is not possible to switch out
> easily, or can be with a printing tool online. But is there any thought
> gone into that?
>
> ᐧ
>
>
>
> On Thu, May 6, 2021 at 1:05 PM Adrian Gropper <agropper@healthurl.com>
> wrote:
>
>
> https://blog.petrieflom.law.harvard.edu/2021/05/05/design-considerations-vaccine-credentials/
>
>
>
> - Adrian
>
>
>
> On Thu, May 6, 2021 at 6:59 AM Snorre Lothar von Gohren Edwin <
> snorre@diwala.io> wrote:
>
> Just wanted to follow up on this. What are peoples thoughts on this QR
> representation and that it is not using VC or did relate technology.
>
> But it is using CBOR and other technology mentioned in this list before
>
> ᐧ
>
>
>
> On Tue, May 4, 2021 at 9:38 AM Snorre Lothar von Gohren Edwin <
> snorre@diwala.io> wrote:
>
> Hi! I wonder if anyone on this list has been involved in the work of this:
> https://github.com/ehn-digital-green-development/hcert-spec
>
> I just cannot see any reference to what this group work so hard at
> achieving. Or have they only taken inspiration and basically just use
> different terminology for what might be similar?
>
>
>
> --
>
> *Snorre Lothar von Gohren Edwin*
>
> Co-Founder & CTO, Diwala
>
> +47 411 611 94
> www.diwala.io
>
> ᐧ
>
>
>
>
> --
>
> *Snorre Lothar von Gohren Edwin*
>
> Co-Founder & CTO, Diwala
>
> +47 411 611 94
> www.diwala.io
>
>
>
>
> --
>
> *Snorre Lothar von Gohren Edwin*
>
> Co-Founder & CTO, Diwala
>
> +47 411 611 94
> www.diwala.io
>
>
>
>
> --
>
> *Snorre Lothar von Gohren Edwin*
>
> Co-Founder & CTO, Diwala
>
> +47 411 611 94
> www.diwala.io
>
>
>
>
> --
>
> *Snorre Lothar von Gohren Edwin*
>
> Co-Founder & CTO, Diwala
>
> +47 411 611 94
> www.diwala.io
>
>
>
>
> --
>
> *Snorre Lothar von Gohren Edwin*
>
> Co-Founder & CTO, Diwala
>
> +47 411 611 94
> www.diwala.io
>
>

Received on Friday, 7 May 2021 15:18:45 UTC