A few observations about digital vaccination certificates:

* It's really just a static QR code, you can import it into your app, but you can also make a picture of it and save it into your phones gallery. Or carry the original paper copy around.
* This unfortunately means it's easy to "steal" other peoples certificates by just scanning their code when they have it open in their app.
* The certificate will not be for your name but will that *always* be verified?

* /#CCTG don't currently verify the cryptographic validity of the scanned cert. (They are not meant for vaccination status verification, the app is for that) but this is still unfortunate as you really want to check your own cert's validity before presenting it.

* It's really not acceptable that the source code of and is not yet published.

Those apps used in the wild as of yesterday and you cannot really study or verify them yet. I'd really like to check implementation details of the certificate validation in them... 😕

Also (assuming they build reproducibly) they should be made available through f-droid, ideally identical with the upstream developers signature but veryfied to build from the published sources by an independent party. This is not possible without published sources obviously.

We did manage to do the right thing with . Why is it so hard to keep doing that? 😠


You currently need to use the closed source (👎) or to verify the validity of your own certificate (or ugh, read the spec and do it manually I guess... this seems to be collecting relevant docs:

If you've done that you can use to carry around the code, or just make a photo of it, or whatever, it doesn't really matter. 🤷.

Let's hope CWA addw the verification part in one of the next versions or the CovPass sources are published...😕

One benefit of storing the certificate inside CWA/CCTG instead of having it as a picture on your phone is that it's harder to access by other apps. If you run untrusted apps on your phone (i.e. installing stuff from playstore instead of foss apps by trusted developers through a trusted distribution channel) then this might be a preferable option.

@Bubu In France the problem is the same, but we already know that the implementations leaks to much personal data

@Bubu In case it helps answering your specific question, the certificate validation is likely the same as in the reference implementation of the spec:

> The certificate will not be for your name but will that *always* be verified?

What does that mean? Is the code not associated to the person at all?

@timokoesters The code contains the full name of the vaccinated person (alongside vaccination date and vaccination type). It's meant to be cross-checked against the Personalausweis of the person presenting the certificate.

@Bubu Deiner Kritik kann ich folgen. Doch was empfiehlst Du? Papierimpfpass? CCTG? CovPass? . . . ?

@oldie Siehe oben. Papierimpfpass scheint nicht die schlechteste Idee für den Moment, wenn man keine closed source software verwenden will... 😞.

Ich hoffe aber wirklich, dass das in 2 Wochen oder so schon besser aussieht!

@Bubu Meinst Du mit dem besser aussehen Deine Aussage in dem Beitrag von @Bianca Kastl?

Leider scannt die Corona-Warn-App im Moment problemlos nicht korrekt signierte Zertifikate und präsentiert sie als gültig. (CovPass und CovPassCheck lehnen sie dann korrekt als invalid ab.)

@oldie Nein, ich meinte, dass es dann eine freie implementierung gibt seinen eigenen QR code zu validieren und sich dann sicher damit sein zu können, einfach den QR code mit sich rumzutragen.

@Bubu Genau so wie mich die politischen und sozialen Folgen von Corona verwirren, verwirren mich die technischen Umsetzungen.

Da denke ich, ich hätte etwas verstanden, nur um zu verstehen, dass ich nichts verstanden habe. Was zum Teufel ist denn nun eine "freie Implementierung"? 🙄
a) Bieten die durch die Apotheken ausgestellten Impfnachweise noch keine endgültige Sicherheit, weil sie die Authentizität nicht prüfen?
b) Oder sind diese Nachteile in der CWA/CCTG begründet?

@oldie @Bubu endgültige Sicherheit für was? Mit einem gefälschten impfpass wirst du einen echten code bekommen. Apps zum prüfen ob ein code richtig signiert ist werden bestimmt viele auftauchen.

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community