It's a pretty decent technical spec for signing statements like "This person has this age" or "this person is vaccinated" or "this person is authorized for this bank-account as executor of a will". It is a spec written by cryptographers and hackers.
At the same time, it is a spec being used by banks, governments, and health-care. That is, its not just a nice technical ivory tower idea, it is actually liked by people who would use it. Why do these organizations want to use this? Because, without cryptographic guarantees, your business processes involve a whole lot of bureaucracy, manual checking of data, implicit trust relations, and friction (so much friction).
That friction is part of why people would actually want to use it. Essentially, all you need to do to share required data is scan some QR codes. Another, maybe more important part, is control over your data. You determine who you show your VC. It is not needed for two organizations to have access to all of their shared data they need. They give the used the data, and the user hands it over, or he doesn't.
The general concept behind all of this is sometimes called SSI (Self Sovereign Identity).
The added bonus is there’s already an open standard I can use that’s been poked at by smarter people.
Exciting!
Self-signed statements already have some value. You can litigate those in court. But when you wanna enter e.g. the Netherlands, how are they to know which key belongs to Quebec?
The culture is super weird. As an example, the focus on the french language : a dev once told me that, during a government contrat, he had to work with a french translated C++ STD library... Finally, by law, the only criteria Quebec can use to choose a external private business to complete a project is the lowest bid. They are not aiming for quality.
Finally since some people in the far regions of the province do not have access to high speed internet, phone + mail + fax is still the implicit norm to contact the government. Quebec public services does not have a strong tech culture for many reasons. We are fortunate that they did not mess up the vaccine process.
Edit: an example- https://mobile.twitter.com/nneonneo/status/92323100662615654...
Here’s some results of a longstanding poll. There have also been various official reports to this effect.
https://www.ctvnews.ca/mobile/sci-tech/canada-s-francophones...
I've found the CBSA to also be fairly reasonable, but I only needed one thing from it (and a FOIA request).
>vaccine appointment website as well as their proof-of-vaccination has been really well done.
The appointment website is bad:
- No date search (have to click multiple locations just to see they're full)
- Multiple popups everytime you click on a location (are you over 18? Etc. Which could have been saved in cookie)
- They don't reserve the time you selected while filling the (long) PII form just before confirming. This can cause someone to snap it from under you. Either ask PII before clicking the time or reserve it would fix this
It would have been even better if they did the "your ticket is reserved" with a countdown to give you time to fill the form.
The ethics and legality of vaccine passports are still very controversial, and using Quebec as a test ground for it seems like its part of an inevitable push, independent of popular assent to it. It's force, basically.
Using a JWT is sufficient for the purposes, and the vaccination status is basically a digital ID. This provides some mature and flexible structure to the token format, as opposed to say, a blockchain based one. The scanning app with the URI endpoints is going to be the interesting piece.
Having worked in the design of related concept, the main failure modes here are a compromise of the signing key which is probably in an azure HSM instance, or cached somewhere as just a k8s secret, mobile malware that steals or corrupts tokens, and then infrastructure ddos against that API endpoint during a holiday airline rush. There's also the question of how the code verification app works, as that's where the real vulnerabilites would be.
Given the amount of co-ordination required for a scheme like this to work, it is difficult to believe this is not being done in secret, and if so, why?
Quebec's current Premiere is a populist who has been gaining huge amount of popularity points with his constituents (albeit, with Montreal being a bit of an exception) in bucking the Federal government; especially when it comes to matters of the Canadian Human Rights charter.
Who are you implying is using Québec as a test ground? The reality is simple: Québec implemented something of its own volition. Nothing nefarious here.
https://gist.github.com/remi/e3aa2f78845ee13f706ed83aead5145...
There's also an online version (that works on mobiles and desktops) and decodes everything on the client side:
The SMART Health Cards Framework is designed to dovetail with SMART on FHIR APIs for consumer access (which all Electronic Health Record vendors in the US are on the hook to support over the next year).
