Vax Passport tip

[LordEd]

This here is literally the data within the QR code once fully decoded:

viewtopic.php?p=2884800#p2884800

I'm still confused, then - the post you've referenced here says

"You can verify its the right person by checking their picture ID that the name and birthdate match."

but then, when scanning in airplane mode:

"Name and vax status only. No birthdate or vax details shown."

I was wrong that the birthdate was shown. I didn't have the app at the time. So name only.

[rustled]

I'm still confused, then - the post you've referenced here says

"You can verify its the right person by checking their picture ID that the name and birthdate match."

but then, when scanning in airplane mode:

"Name and vax status only. No birthdate or vax details shown."

I was wrong that the birthdate was shown. I didn't have the app at the time. So name only.

Thanks.

[rustled]

Break this down a bit

{
"header": { First part of the message. This is not compressed
"alg": "ES256", Signing algorithm. SHA256 with ECDSA (asymmetric key)
"zip": "DEF", Payload is compressed using "deflate" algorithm
"kid": "XCqxdhhS7SWlPqihaUXovM_FjU65WeoBFGc_ppent0Q" Thumbprint of the key
},
"payload": {
"iss": "https://smarthealthcard.phsa.ca/v1/issuer", Issuer URL
"nbf": 1630885634, "not before date". Timestamp in seconds since 1970-01-01
"vc": { Verifiable credentials
"type": [
"https://smarthealth.cards#covid19",
"https://smarthealth.cards#immunization",
"https://smarthealth.cards#health-card"
],
"credentialSubject": {
"fhirVersion": "4.0.1",
"fhirBundle": {
"resourceType": "Bundle",
"type": "collection",
"entry": [
{
"fullUrl": "resource:0",
"resource": {
"resourceType": "Patient",
"name": [
{
"family": "LASTNAME", Name
"given": [
"FIRSTNAME"
]
}
],
"birthDate": "1980-01-01" Birthdate
}
},
{
"fullUrl": "resource:1",
"resource": {
"resourceType": "Immunization",
"status": "completed", Vaccine status
"vaccineCode": {
"coding": [
{
"system": "http://hl7.org/fhir/sid/cvx",
"code": "208"
},
{
"system": "http://snomed.info/sct",
"code": "28581000087106" "SNOMED" number for Pfizer" }
]
},
"patient": {
"reference": "resource:0"
},
"occurrenceDateTime": "2021-05-21", Date/lot of first vaccine
"lotNumber": "EW0199",
"performer": [
{
"actor": {
"display": "Drop-in Vaccine Clinic" Where
}
}
]
}
},
{
"fullUrl": "resource:2", Repeat for second dose
"resource": {
"resourceType": "Immunization",
"status": "completed",
"vaccineCode": {
"coding": [
{
"system": "http://hl7.org/fhir/sid/cvx",
"code": "208"
},
{
"system": "http://snomed.info/sct",
"code": "28581000087106"
}
]
},
"patient": {
"reference": "resource:0"
},
"occurrenceDateTime": "2021-07-25",
"lotNumber": "FD7206",
"performer": [
{
"actor": {
"display": "UBC Vax Van"
}
}
]
}
}
]
}
}
}
},
"verifications": { Footer with the signing information, I think
"trustable": true,
"verifiedBy": "XCqxdhhS7SWlPqihaUXovM_FjU65WeoBFGc_ppent0Q",
"origin": "https://smarthealthcard.phsa.ca/v1/issuer"
}
}

Shades of our pre-Windows days.

The snomed link (which is repeated in the code) references an external site. It wouldn't be able to access it if the reader is offline, correct? So now of course I'm curious about its purpose.

[LordEd]

The purpose is likely to formalize the information. Basically saying "this is the registered vaccine number" and "this is who it is registered with".

Instead of link, substitute a mailing address. It would be the same idea.

If I said that I was given vaccine 208, that means nothing.

If I say I got a vaccine registered with the CDC with CVX code 208, then if more detail was needed on that somebody could go to the CDC and find that 208 translates to:

SARS-COV-2 (COVID-19) vaccine, mRNA, spike protein, LNP, preservative free, 30 mcg/0.3mL dose
Vaccine status: active
Last updated: 9/10/2021
FDA BLA 08/23/2021 for adult dose (16+ years). Still under EUA for adolescent doses and presentations. EUA 12/11/2020, 2-dose vaccine. Used to record Pfizer vaccines administered in the US and in non-US locations (includes tradename Comirnaty)

But a restaurant doesn't need all that. The BC app is for local business verification so it only shows name/status.

Say we make agreements with other countries to accept our QR code for travel. They can use their own apps and extract the more detailed information.

Name and birthdate (check matches passport)
Vaccine 1 is CDC registered (we can use that) or Vaccine 1 is in SNOMED (we use this not the CDC).
Vaccine 2 also and is of the same type (or different type and we accept or don't accept that).

The link to the signing key is there and they choose to accept it as authoritative or not.

This is the protocol they are using: https://spec.smarthealth.cards/

[rustled]

The purpose is likely to formalize the information. Basically saying "this is the registered vaccine number" and "this is who it is registered with".

Instead of link, substitute a mailing address. It would be the same idea.

If I said that I was given vaccine 208, that means nothing.

If I say I got a vaccine registered with the CDC with CVX code 208, then if more detail was needed on that somebody could go to the CDC and find that 208 translates to:

SARS-COV-2 (COVID-19) vaccine, mRNA, spike protein, LNP, preservative free, 30 mcg/0.3mL dose
Vaccine status: active
Last updated: 9/10/2021
FDA BLA 08/23/2021 for adult dose (16+ years). Still under EUA for adolescent doses and presentations. EUA 12/11/2020, 2-dose vaccine. Used to record Pfizer vaccines administered in the US and in non-US locations (includes tradename Comirnaty)

But a restaurant doesn't need all that. The BC app is for local business verification so it only shows name/status.

Say we make agreements with other countries to accept our QR code for travel. They can use their own apps and extract the more detailed information.

Name and birthdate (check matches passport)
Vaccine 1 is CDC registered (we can use that) or Vaccine 1 is in SNOMED (we use this not the CDC).
Vaccine 2 also and is of the same type (or different type and we accept or don't accept that).

The link to the signing key is there and they choose to accept it as authoritative or not.

This is the protocol they are using: https://spec.smarthealth.cards/

Thanks again.

[mexi cali]

I didn't know/hadn't heard that you also had to produce additional ID to verify the ownership of the unique code.

For some reason, I thought all you needed was the code which led me to ask why then wouldn't people simply share their codes with their AV brethren?

Thanks to all who contributed here. Some knowledgeable peeps.

[my5cents]

Sorry if this has be asked, but I don't think so...
OK, one's info in imbedded in the QR code, fine. A photo of the QR code is retained in the users phone or the image printed on a piece of paper.

The establishment has a smart phone, iPad, whatever that contains an app that can scan the QR code and read the imbedded info (name and vaccine status). Easy, clear.

There is no need for either the customer presenting their QR code or the establishment to be "online".

NOW.... What security is there so someone can't hack the QR code and change the info. ie, is there some type of calculated check digit that the establishment's app verifies that the QR code is legit ???

ie, for example for a vehicle's VIN (vehicle identification number) that contains 17 characters, the 9th position is a number or letter calculated from all the other 16 digits in the VIN. If a crook changed digits in a VIN, they would have to know the formula to re-calculate the check digit or the VIN would show as an invalid VIN.

<End of question>

I had lunch in a pub in Osoyoos yesterday. Interesting. My buddy and I walked in, QR codes in hand, buddy's printed, mine on my phone. It was 12:15 PM, about 20 - 25 patrons already in the pub. The person greeting us, seeing our expectation that we'd be checked, called over another person "do you know what to do with these ?" The second person, "I think so" then pulled out her smart phone and scanned our QR codes. I jokingly stated to the young lady: "be gentle it's my first time", to which she said: "mine too".

So, wouldn't it be a great idea if the app would capture, even for 24 hours, the stats of how many scans each device had completed. Someone inspecting could pop in, see 20 people in an establishment check the establishments device(s) and insure that they had a corresponding number of scans. ie, I suspect in the case of this pub yesterday, 20+ patrons and 2 scans.

[my5cents]

I didn't know/hadn't heard that you also had to produce additional ID to verify the ownership of the unique code.

For some reason, I thought all you needed was the code which led me to ask why then wouldn't people simply share their codes with their AV brethren?

Thanks to all who contributed here. Some knowledgeable peeps.

I think all the QR code does is tell the establishment that "John Smith is full vaccinated", now you have to produce photo ID to prove you are John Smith.

Yes, a great bunch.

[spooker]

Sorry if this has be asked, but I don't think so...
OK, one's info in imbedded in the QR code, fine. A photo of the QR code is retained in the users phone or the image printed on a piece of paper.

The establishment has a smart phone, iPad, whatever that contains an app that can scan the QR code and read the imbedded info (name and vaccine status). Easy, clear.

There is no need for either the customer presenting their QR code or the establishment to be "online".

NOW.... What security is there so someone can't hack the QR code and change the info. ie, is there some type of calculated check digit that the establishment's app verifies that the QR code is legit ???

ie, for example for a vehicle's VIN (vehicle identification number) that contains 17 characters, the 9th position is a number or letter calculated from all the other 16 digits in the VIN. If a crook changed digits in a VIN, they would have to know the formula to re-calculate the check digit or the VIN would show as an invalid VIN.

In the QR info there is this bit:

"verifiedBy": "XCqxdhhS7SWlPqihaUXovM_FjU65WeoBFGc_ppent0Q",

that is the "signature" that was created with the private key of the issuer and can be verified against the public key to make sure that what was generated is still the same as at creation ...

[mexi cali]

I didn't know/hadn't heard that you also had to produce additional ID to verify the ownership of the unique code.

For some reason, I thought all you needed was the code which led me to ask why then wouldn't people simply share their codes with their AV brethren?

Thanks to all who contributed here. Some knowledgeable peeps.

I think all the QR code does is tell the establishment that "John Smith is full vaccinated", now you have to produce photo ID to prove you are John Smith.

Yes, a great bunch.

Yup, not an ideal system but I guess it's what we have.

[LordEd]

that is the "signature" that was created with the private key of the issuer and can be verified against the public key to make sure that what was generated is still the same as at creation ...

I tried to find a good explanation of digital signatures and public/private keys, but even the simplest example I found is fairly complex.

1. Imagine there is a way to convert the entire file into a single really big number. If you change even 1 character in it, it would change to a completely different number (called a hash).

2. Anybody can take the contents of your QR code and get the exact same number every time.

3. I have an encryption key that lets me take the hash and encrypt it.

4. I put that encryption key into the code and also tell you where to find the public key.

5. If you use the public key, you are able to get the hash. If the encrypted hash matches the contents of the file, it hasn't been modified.

6. The public key can't be used to figure out the private key and can't be used to make a new hash. The math only works one way (easy to go one way, computationally difficult to go backwards).

[normaM]

At the UPS store in the Mission you can have the card printed and laminated ( so same size as DL) I am doing it since you have to haul out GOvt photo ID. btw, I asked for a hard cope to be mailed out, actually thought they would send a card.. nope, just a print out too large to haul around town.
Anyhow thought there might be someone else who wants the CC size - $10 and tax

[W105]

At the UPS store in the Mission you can have the card printed and laminated ( so same size as DL) I am doing it since you have to haul out GOvt photo ID. btw, I asked for a hard cope to be mailed out, actually thought they would send a card.. nope, just a print out too large to haul around town.
Anyhow thought there might be someone else who wants the CC size - $10 and tax

^^ thanks for the tip Norma..I am going to UPS to get this done..I want a hard copy encase my phone dies

[normaM]

yup... plus have to pull out the DL anyhow :) Also, 2 people told me they downloaded the passport to their phone, but hours later their name vanished off
Maybe they are just as bad as me re Tech stuff

[Gilchy]

yup... plus have to pull out the DL anyhow :) Also, 2 people told me they downloaded the passport to their phone, but hours later their name vanished off
Maybe they are just as bad as me re Tech stuff

It's a screenshot/photo - it would be impossible for their name to "vanish" unless to cropped the top off the photo manually. It would be like taking a photo of your driver's licence and claiming the name disappeared off your photo a few hours later.