A few observations about digital vaccination certificates:

* It's really just a static QR code, you can import it into your app, but you can also make a picture of it and save it into your phones gallery. Or carry the original paper copy around.
* This unfortunately means it's easy to "steal" other peoples certificates by just scanning their code when they have it open in their app.
* The certificate will not be for your name but will that *always* be verified?


* /#CCTG don't currently verify the cryptographic validity of the scanned cert. (They are not meant for vaccination status verification, the app is for that) but this is still unfortunate as you really want to check your own cert's validity before presenting it.

· · Web · 1 · 0 · 1

* It's really not acceptable that the source code of and is not yet published. github.com/Digitaler-Impfnachw

Those apps used in the wild as of yesterday and you cannot really study or verify them yet. I'd really like to check implementation details of the certificate validation in them... 😕

Also (assuming they build reproducibly) they should be made available through f-droid, ideally identical with the upstream developers signature but veryfied to build from the published sources by an independent party. This is not possible without published sources obviously.

We did manage to do the right thing with . Why is it so hard to keep doing that? 😠

@Bubu In France the problem is the same, but we already know that the implementations leaks to much personal data

@Bubu In case it helps answering your specific question, the certificate validation is likely the same as in the reference implementation of the spec: github.com/eu-digital-green-ce

Sign in to participate in the conversation

chaos.social – a Fediverse instance for & by the Chaos community