A few observations about digital vaccination certificates:
* It's really just a static QR code, you can import it into your app, but you can also make a picture of it and save it into your phones gallery. Or carry the original paper copy around.
* This unfortunately means it's easy to "steal" other peoples certificates by just scanning their code when they have it open in their app.
* The certificate will not be for your name but will that *always* be verified?
* It's really not acceptable that the source code of #CovPass and #CovPassCheck is not yet published. https://github.com/Digitaler-Impfnachweis/documentation/issues/6
Those apps used in the wild as of yesterday and you cannot really study or verify them yet. I'd really like to check implementation details of the certificate validation in them... 😕
Also (assuming they build reproducibly) they should be made available through f-droid, ideally identical with the upstream developers signature but veryfied to build from the published sources by an independent party. This is not possible without published sources obviously.
We did manage to do the right thing with #CWA. Why is it so hard to keep doing that? 😠
You currently need to use the closed source (👎) #CovPass or #CovPassCheck to verify the validity of your own certificate (or ugh, read the spec and do it manually I guess... this seems to be collecting relevant docs: https://github.com/stealth/greenday)
If you've done that you can use #CCTG to carry around the code, or just make a photo of it, or whatever, it doesn't really matter. 🤷.
Let's hope CWA addw the verification part in one of the next versions or the CovPass sources are published...😕
One benefit of storing the certificate inside CWA/CCTG instead of having it as a picture on your phone is that it's harder to access by other apps. If you run untrusted apps on your phone (i.e. installing stuff from playstore instead of foss apps by trusted developers through a trusted distribution channel) then this might be a preferable option.
@Bubu In France the problem is the same, but we already know that the implementations leaks to much personal data
@rami Dann werd ich mir mal https://github.com/eu-digital-green-certificates/dgca-verifier-app-android anschauen.
> The certificate will not be for your name but will that *always* be verified?
What does that mean? Is the code not associated to the person at all?
@timokoesters The code contains the full name of the vaccinated person (alongside vaccination date and vaccination type). It's meant to be cross-checked against the Personalausweis of the person presenting the certificate.
@oldie Siehe oben. Papierimpfpass scheint nicht die schlechteste Idee für den Moment, wenn man keine closed source software verwenden will... 😞.
Ich hoffe aber wirklich, dass das in 2 Wochen oder so schon besser aussieht!
Leider scannt die Corona-Warn-App im Moment problemlos nicht korrekt signierte Zertifikate und präsentiert sie als gültig. (CovPass und CovPassCheck lehnen sie dann korrekt als invalid ab.)
@oldie Nein, ich meinte, dass es dann eine freie implementierung gibt seinen eigenen QR code zu validieren und sich dann sicher damit sein zu können, einfach den QR code mit sich rumzutragen.
@oldie source code der CovPass apps veröffentlichten, s. hier: https://github.com/Digitaler-Impfnachweis/documentation/issues/6
chaos.social – a Fediverse instance for & by the Chaos community