W3C home > Mailing lists > Public > public-credentials@w3.org > November 2021

Re: New Zealand - W3C VC/DID based Vaccine Pass, Verifiers ...

From: Tobias Looker <tobias.looker@mattr.global>
Date: Thu, 11 Nov 2021 07:07:33 +0000
To: Markus Sabadello <markus@danubetech.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <SY4P282MB127406AC440A8933E4ABF2F99D949@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM>
Thanks all, been an exciting project to be a part of.

> The JSON-LD context URL https://nzcp.covid19.health.nz/contexts/v1 can't be dereferenced (but the context is provided in the specification, so no problem).

Thanks for catching, I will rectify.

> The CWT choice probably makes sense, just curious if CBOR-LD been considered at some point in the project?


Yes we are supporters of the vision of CBOR-LD, however for this project the need for a more established proof format / data encoding method, led to the selection of CWT.


> Interesting how the pass contains givenName, familyName, dob, and no other claims.


Essentially for privacy reasons, the claims contained are only those sufficient to associate the pass to a photo ID if required.


> The subject doesn't have a DID?


Thats correct an NZCP is effectively a bearer credential designed to be rendered/presented directly from a QR code, credential subject authentication is done by presenting the credential in conjunction with a valid photo ID.


> Given the previous two points, I assume this means that a holder would typically have to present this VC together with some other form of other ID? Any privacy concerns here?


See above, yes if the verifier is concerned that the presenter is attempting to impersonate as the actual credential subject, photo ID could be required.


>  Agree with David that did:web could be replaced with https://. Domain names are not "decentralized identifiers" in the classic sense. But did:web still has its use insofar as it applies the common DID syntax, data model, and resolution interface to domain names.


Yes agreed, but as you pointed out Markus thats exactly why we used did:web because of the common data model, identifier syntax and resolution contract.


Thanks,

[Mattr website]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>



Tobias Looker

MATTR
CTO

+64 (0) 27 378 0461
tobias.looker@mattr.global<mailto:tobias.looker@mattr.global>

[Mattr website]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>

[Mattr on LinkedIn]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>

[Mattr on Twitter]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>

[Mattr on Github]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

________________________________
From: Markus Sabadello <markus@danubetech.com>
Sent: 11 November 2021 18:23
To: public-credentials@w3.org <public-credentials@w3.org>
Subject: Re: New Zealand - W3C VC/DID based Vaccine Pass, Verifiers ...

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.


Looks great.. Few comments/questions:

- The JSON-LD context URL https://nzcp.covid19.health.nz/contexts/v1 can't be dereferenced (but the context is provided in the specification, so no problem).

- The CWT choice probably makes sense, just curious if CBOR-LD been considered at some point in the project?

- Interesting how the pass contains givenName, familyName, dob, and no other claims.

- The subject doesn't have a DID?

- Given the previous two points, I assume this means that a holder would typically have to present this VC together with some other form of other ID? Any privacy concerns here?

- Agree with David that did:web could be replaced with https://. Domain names are not "decentralized identifiers" in the classic sense. But did:web still has its use insofar as it applies the common DID syntax, data model, and resolution interface to domain names.

Anyway, congratulations NZ and MATTR!

Markus

On 08.11.21 20:54, John, Anil wrote:

Congratulations to the Ministry of Health New Zealand on choosing  W3C Verifiable Credentials and W3C Decentralized Identifiers as the basis of their roll out of the “NZ COVID Pass”:



The New Zealand COVID Pass is a cryptographically signed document which can be represented in the form of a QR Code that enables an individual to express proof of having met certain health policy requirements in regards to COVID-19 such as being vaccinated against the virus.



The QR code is assembled using existing open specifications.



·         Underlying data model based on W3C Verifiable Credentials

·         Each pass has an expiry date (exp) and not before date (nbf)

·         Issuer uses DID:WEB identifiers to resolve the public key used to verify the pass digital signature.

·         CBOR Web Token (CWT) is the cryptographic structure used to represent claims in the pass, which uses Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE). CWT is derived from JSON Web Token (JWTs), but is more compact.

·         ECDSA with P-256 for the digital signature algorithm

·         Base32 encoding of CWT into QR code in Alphanumeric mode, using a prefix of NZCP:/ and a version number. Some manipulation of the Base32 may be required when decoding.





Press release @ https://www.health.govt.nz/news-media/media-releases/technical-information-published-support-covid-19-vaccine-pass-and-verifiers

Technical Specification @ https://nzcp.covid19.health.nz/

Documentation @ https://github.com/minhealthnz/nzcovidpass-spec



I am always happy when a fellow public service entity make a conscious choice to support openly developed, global, royalty free and free to use standards and specifications in their technical implementations to ensure equity, access and global interoperability!



Oh … In case you miss it, they are deploying DID:WEB in production! Way to go!



Needless to say – Congratulations also to the entire MATTR team << Read the NZ Gov press release : -)



Best Regards,



Anil



Anil John

Technical Director, Silicon Valley Innovation Program

Science and Technology Directorate

US Department of Homeland Security

Washington, DC, USA



Email Response Time – 24 Hours



[A                  picture containing graphical user interface                  Description automatically generated]<https://www.dhs.gov/science-and-technology>[/Users/holly.johnson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1972159395]





image005.jpg
(image/jpeg attachment: image005.jpg)

image006.jpg
(image/jpeg attachment: image006.jpg)

Received on Thursday, 11 November 2021 07:07:54 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:24 UTC