Digital Green Certificate (DGC) — A Great Step Forward To Address A Problem, But A Technical…

Photo by ConvertKit on Unsplash

Digital Green Certificate (DGC) — A Great Step Forward To Address A Problem, But A Technical Opportunity Missed?

And so the good news is that we are moving to open up our borders safely with the usage of vaccination passports. In the EU, we see the Digital Green Certificate (DGC) and it’s a great step forward. But, for a way forward, have we missed a great opportunity to do things properly, and create a scalable system for the future?

Certainly, the collaboration of health care authorities across the EU is an excellent approach, but technically the devil will be in the detail, and the current solution is just a plain old PKI solution with a centralised infrastructure. The tools are now here for much better solutions, so I suppose it’s just go for a quick-and-dirty solution, or just push forward new innovation that could be scaled into the future.

Overall there will be three certificates: vaccination certificates, test certificates (NAAT/RT-PCR test or a rapid antigen test), and certificates for persons for those who have recovered from COVID-19. An example certificate is:

In operation, basically, there will be a centralised system that will receive the digitally signed records. Each of these will be signed by a trusted health care entity, and check against the public key of that trusted entity. It’s pure PKI, as we would have when connecting to a trusted Web site.

But, let’s look at the technical detail of this. Well, the core of the security infrastructure is the signing keys. In the best case, we would issue key pairs to every trusted health care professional to sign passports. This would allow fine-grain control on signing, and audit each signing authority. If there was a breach of the private key, though, the public key would be revoked, and it would have a minimal impact. What is likely to happen is that a countrywide health authority will have a single signing key pair. A single breach of the private key will bring down every single DGC signed by that authority, as all of the passports will be mark as untrusted. For cybercriminals, the target of this private key will be a key focus, as it will be worth so much to them on the open market.

If we avoid the global signing by a single health authority, it will be possible to distribute the signing to local health authorities. These, though, tend not to have the best security in place for the protection of the private keys and could end up locking out whole communities from travel.

And, when it comes to revocation of a signing key, that has always been the Achilles heel of PKI, and could only happen by the centralise authority receiving notification of a private key leak, and then marking it as being non-trusted. Otherwise, it can be detected through fraud, and which risks blocking many travels on the basis of the revocation. On that, every certificate signed by the revoked key would then have to be reissued.

But, why use a central authority for the whole infrastructure and one which has no real background in building systems such as this? Why not distributed the trust infrastructure towards each country validating the certificates? The existing PKI infrastructure is distributed to a certain extent, but centralising with DGC could be asking for trouble.

GLASS

Luckily, we have a chance to build a system for the future in the EU-funded GLASS (SinGLe sign-on eGovernAnce paradigm based on a distributed file exchange network for Security, transparency, cost-effectiveness and truSt) project, and which aims is to create a more trusted world for citizens.

A key focus of GLASS is on trust, security, reproducibility and value generation for all stakeholders:

The GLASS framework aims to build strong business cases and a sustainabilty order, in order to integrate into every part of e-Governance systems:

GLASS thus aims to create new models for digital governance, and which supports the integration of targeted, engaging and effective policies for the citizen. This will focus a range of key technologies including Distributed Ledgers, Big Data Analytics, Machine Learning, Artificial Intelligence, AIBots and NetApps technologies, and aim for a digital-by-default design, and which support interoperable and cross-border integration:

Conclusions

The solution is fine. It’s really just a bit of paper with some data and is converted into a digital form, and there’s a bit of trust. Overall it’s a 20th Century method that helped build the Internet, but it’s hardly a way forward for the deep integration of trut and of the citizen — and their rights — that is truly possible.

For me, I hope Scotland and the UK follow soon with this and get our borders open again, as we thrive in world without physical and hard borders. I just wish that we started to build a more trusted infrastructure that could start to harmonise these types of passports across the world and build a proper trust infrastructure. Well done, EU, but it would have been great to just push forward on a more trusted world. For us, we push forward with the GLASS project, and just hope it will provide a more trusted and scalable infrastructure for the future.