Although the EU’s approach to COVID-19 health certificates (the Digital Green Certificate) implements existing technology and supports both paper and digital credentials, offline usage, and speedy verification, it makes a number of security and privacy compromises. Our analysis found it to be inherently centralised and better suited for low assurance use cases.
The EU has announced a program called “Digital Green Certificate” intended to provide proof of COVID-19 test or vaccination status for EU citizens. The intention is to “facilitate safe and free movement during the COVID-19 pandemic within the EU”. It is voluntary and free for citizens.
This is an analysis of the EU program and how it compares to a digital credential based approach. Important: this analysis is focused on the technical aspects of the EU program, not the medical or political aspects.
Summary of Features
- The EU program enables both paper and digital formats.
- There are three data sets or “certificates”:
- Test result status holding details of a recent test.
- Vaccine status holding details of which vaccine was administered, when and by whom.
- “Recovery” status holding details of a previous positive test.
- The certificates will be in the form of a QR code containing the data and a digital signature of the issuing body.
- Each certificate issuer will have their issuer keys stored in a database in their country.
- The country database will also serve as a list of authorised issuers.
- The EU will build a central gateway to enable one country to verify signatures from issuers located in another country.
- When a verifier scans a QR code, it will reveal all the data attributes in the certificate together with the issuer signature. The verifier will then retrieve the issuer keys from the issuer’s country database to check if the signature is valid (and therefore the data is authentic).
- Certificates will be free to obtain.
- A Trust Framework has been developed to describe interoperability.
- Issuer keys can be cached at the verifier to allow offline workflow.
- There is a list of authorised verifiers which will be maintained at country level.
- There will be the ability (in a second phase) for verifiers to directly contact issuers to verify a certificate signature.
- Existing certificate authorities will be used for the creation of issuer signing certificates.
- Each EU country will implement at least one issuing service and there could be many per country.
- Each country will be able to revoke certificates that have been issued. Revoked certificate lists will be published on the country database and digitally signed by the country’s public health authority.
- Each country must provide an online verification web-app. There will be only one per country.
- Each country must provide one and only one verification endpoint. There will also be a telephone-based verification service per country.
- The verifier fetches signing keys from the EU’s public key directory/gateway that will be built. A verifier will automatically trust all keys fetched from this directory.
- Trust Framework 5.2: “A decision about W3C Verifiable Credentials is to be made later”
- Offline verification will be incorporated from day 1. No access to external resources will be required once the issuer key database has been downloaded.
- Online verification (verifier contacts issuer) will be supported in version 2.
Digital Green Certificate Architecture Overview
Comparison with Verifiable Credentials
- The EU approach does not support selective disclosure, i.e. allowing a subset of attributes from a credential to be used without revealing all the data in the credential. Trust Framework 6.2: “Adding data encryption of individual fields would increase complexity associated with key management.”
- Compound proofs are not supported (i.e., one cannot extract attributes from multiple credentials and use them in a single verification transaction).
- There is no physical ID of the person (certificate holder) in the EU model. There is no photo or biometric information that a verifier could use to bind the person standing in front of them to the certificate being presented. The certificate would need to be combined with another doc held by the person using some matching attributes such as name, DoB or citizen ID, and photo.
- There appears to be no protection against photocopying or cloning a paper-based or digital based certificate. A screenshot of a friend’s certificate would be usable at a verifier.
- The “Unique Vaccination Certificate Identifier” (UVCI) and the issuer’s signature on each certificate will act as perfect correlators for each citizen, allowing their activities to be correlated everywhere they present their certificate.
- The Trust Framework says “The design should prevent the collection of identifiers or other similar data which might be cross-referenced with other data and re-used for tracking (‘Unlinkability’).” However the UVCI and issuer signature are perfect correlators.
- The fact that there will be a limited number of approved verifiers (one per country) should limit this, but it would be fairly simple for a third party to capture images of presented certificates using a layer on top of a verification web-app and execute cloning or analysis of citizen data.
- It is not possible to present a certificate without the verifier being able to read all details, such as name and date of birth, which will be irrelevant for many transactions.
- Direct contact from the verifier to the issuer is envisaged (not in the first phase), which would presumably allow an issuer to track the activities of holders, even though this may not be intended.
- Offline verification is supported, which is not the case with Verifiable Credentials at the moment.
- Simple digital signature technology is well proven.
- The integrity of each country’s issuer database is crucial. Breach of any one of them would permit fake issuers to be set up.
- It will be fairly easy for country issuers to issue these certificates as verifiable credentials at the same time as they issue certificates in this format.
- It will be fairly easy for simple verifier web-apps to be used to check verifiable credentials as well as to check these simpler certificates.
The EU’s Digital Green Certificate initiative will certainly help to get people moving. It provides a way to quickly and efficiently scan a piece of paper or a phone screen to check someone’s health status. However, it lacks the privacy, security, and flexibility of a full verifiable credentials solution. Cloning, photocopying and screen-shotting of Green Certificate credentials will take place. Third parties will also likely be able to read personal details from QR codes. This is the tradeoff for the simpler approach being adopted.
We think that a hybrid approach will work well, with the EU solution being suitable for low-assurance use cases, and a verifiable credential solution working very well for higher assurance use cases. Both can be combined in an app, and a credential/certificate issuer could issue both Green Certificate certificates and verifiable credentials simultaneously.
At Evernym, we remain committed to the highest levels of privacy and security for people and organisations, and we look forward to helping the EU team to enable Digital Green Certificates to become true verifiable credentials.
Start building with Evernym
If you are developing a Digital Green Certificate app and want to make it interoperable with verifiable credentials, we can help. Our Mobile SDK can be embedded in any Android or iOS app to bring you full verifiable credential functionality.