COVID certificate and other large NDEFs

anon3825968 · November 6, 2021, 7:04pm

The certificate has your name in it, as well as COVID- and vaccination-related information. But no SSN or national ID number.

Yes, like all “what you haves”, it doesn’t prove who you are. COVID certificate checking is a two-step process: first verify the person’s identify with the ID card or driver’s license, then verify the COVID status with the certificate.

What we’re trying to do here is move step #2 to NFC. Step #1 is still old-school. This would be different if the ID card was implantable, or - better - if the COVID certificate was in a chip that acted as both.

In other words, it would be ideal if the Apex was usable as a valid ID and could hold the COVID certificate also (which, technically, it can in an NDEF of course). But… that’s for Soon™ I guess

amal · November 6, 2021, 9:18pm

Any eid standard for Finland like Belgium has?

https://www.google.com/search?q=belgium%20eid%20java%20card%20GitHub

anon3825968 · November 6, 2021, 9:48pm

Not really. What happens here, for some reason, the government decided to delegate ID authentication to banks. There is a national ID thing that works in parallel, but as far as I can tell it’s not used a lot.

See here for instance: this is the login portal for the citizen’s website, where one chooses how to authenticate oneself:

It infuriates me no end that the state lets private concerns like bank handle such sensitive information. I’m 110% certain the banks love nothing better than to track and monetize the shit out of our government and health facilities’ usage patterns.

On the plus side, Vivokey could - and should - propose themselves as yet another alternative authentication method. The infrastructure for pick-and-choose your authenticator is pretty much already in place here, so Vivokey could easily be a new option quickly. It’s not like they’d have to force their way into a locked government-only IT infrastructure.

Zwack · November 6, 2021, 10:53pm

I don’t know if that could be something that fidesmo offers an option to the fidesmo banks as well as Vivokey.

Not trying to put Vivokey down, but I suspect fidesmo has a bigger market share than Vivokey does on its own, even in Finland.

amal · November 6, 2021, 11:24pm

I totally understand that. The problem at this point is that Fidesmo does not want to play in the identity space. That’s why you don’t have to sign up for any kind of account to install or use the Fidesmo app. However your point is valid because if we made a identity application for VivoKey, It could easily be installed on non-vivokey devices if we allowed. It would just be a matter of sorting out the business case for non-vivokey devices.

anon3825968 · November 7, 2021, 2:37am

Okay, so in the end I went to my favorite bar in the evening because the place was jam-packed the whole afternoon and my buddy was busy. When he finally found time, he took the job very seriously: we shot a pretty convincing series of simulated COVID certificate checking using various methods.

Best of all: because it was nighttime and the light at the front door was pretty dim, reading the QR code turned out to be really, really difficult, further highlighting how much better a solution NFC is. Okay I’m being a bit disingenuous if I’m honest: many people will present an image of their QR code on their phone. Still, it shows NFC is a convenient alternative, and there’s always gonna be people who will come with an unreadable piece of paper anyway.

Check it out (faces and names blurred to protect the guilty ):

anon3825968 · November 12, 2021, 8:47pm

Just got an email to confirm that the video - and a Powerpoint presentation making a case for enabling NFC - will be reviewed by the relevant authorities next week. And my pull request for the code fix hasn’t even been reviewed after a week, let alone merged in, and I’m not holding my breath because other PRs have been lingering for weeks.

Bureaucracy moves at a glacial pace. I think the NFC COVID checker has a very good chance to make it to the Google Play store in time for the next pandemic

yeka · November 12, 2021, 8:55pm

I was about to say, did you really expect it to go fast? I just hope 1 day an interested dev will see it and review it for fun.

anon3825968 · November 12, 2021, 8:57pm

Well, we kind of are in the middle of a pandemic a bit… I was expecting it to be expedited actually - or at least, I was expecting other PRs that are more essential than NFC to be expedited.

The original author of the NFC code has been assigned to the review job.

yeka · November 12, 2021, 9:01pm

If things go well our vax doesn’t work for some mutants and we keep this pandemic for a while.

Nah. Even critical security issues take weeks for gov stuff, at least here in germany. You could have emailed them that you have the finnish private key for certs and they wouldn’t look at it until tuesday.

anon3825968 · November 12, 2021, 9:03pm

You’d be surprised how efficient Finnish public servants can be. Not that lot though, unfortunately.

pirrup · November 24, 2021, 4:17pm

Do you know if the Belgium app can do this ?

I want to put mine also on my next or XSIID if possible ?

anon3825968 · November 24, 2021, 4:39pm

I’ll answer your question more generically, in the form of an explanation, and as an update on the current goings on:

The Belgian COVID checker app, like the Finnish app, the French app and all the others in the EU zone, are all more or less direct derivatives of the DGCA Verifier App, which is the EU’s reference implementation. In other words, when a feature makes it into the DGCA Verifier app, eventually (days to weeks later) it may or may not trickle down to your local version, depending on what your local authorities reckon is useful to keep or not to keep from the reference application.

In the case of the NFC feature, it’s always been in the DGCA Verifier app. From what I can tell from the git log, it used to work, then the author / maintainer of the NFC feature fucked it up on purpose for some reason, and I made a pull request to essentially unfuck it a couple weeks ago. If the NFC feature was ever enabled in one of the national implementations, no doubt it was disabled in a hurry when the feature got fucked up.

But most likely it was never enabled in any national implementation, because it turned out QR codes sort of naturally won out and left the NFC option behind altogether.

So my advice to you is this: if you want the Belgian CovidSafe app to support NFC, get in touch with the local maintainers of that app and urge them to enable the NFC feature in the DGCA Verifier app in their own implementation (and since you’re at it, tell them to urge the DGCA Verifier app maintainers to accept my fucking fix, because the EU being the EU, they still haven’t even reviewed it, despite being a TWO LINE FIX!! )

You might have to argue the case in favor of NFC - because you know, they’re public servants and they don’t like to work if they don’t have to. If you need arguments, I can send you the powerpoint I sent the Finnish authorities for that very purpose, and you can use the video above to shows a real-life example of NFC COVID certificate checking in action.

As for the update: the Finnish authorities told me they’d review our request in January, because they have “other important things to do at the moment” and now is not a good time. Whatever… So anyway, if NFC happens in the Finnish app, it won’t happen before January at best. Probably February. Who knows… COVID might be gone by the time NFC gets enabled

pirrup · November 25, 2021, 11:16am

Rosco, thanks for the clear answer.
I checked and the maintainer is the government itself so no point to contact. Egof Health
so i think this is also a dead end for the Belgian app

anon3825968 · November 25, 2021, 11:19am

Just send an email to SPF Santé Publique with a short, clear description of what you want and who your email should reach, and you might find that it’ll actually get there and you might get an answer. All it costs is trying This sort of thing works surprisingly often.

pirrup · November 25, 2021, 11:21am

ok great will do , maybe i can include your presentation and video ?

anon3825968 · November 25, 2021, 11:25am

You may want to wait until you get someone to answer you before sending a video and a PPT. You don’t want to overwhelm the public servants: anything longer than 3 sentences with a simple subject / verb / object structure and you start encroaching on their coffee break time Not to mention, most email servers are configured to discard emails sent to public-facing addresses that have attachments.

But I’m happy to share the PPT with you for when you have an actual name to talk to. Just let me rework it a bit so my own name is out of it.

Pilgrimsmaster · November 30, 2021, 8:45am

7 posts were merged into an existing topic: The anti:no_entry_sign:-derailment:railway_car: & thread:thread: hijacking:gun: thread:thread:

Thebys · December 22, 2021, 7:48am

I’ve read through this topic, since it is becoming viral in Europe.

So I have the 574 byte .hcert file, generated by my local C19 certificate app, how do I load this data into a NExT to that it will be recognized by my Android phone? Is it possible to do with NFC Tools Android app? Storing as plaintext seems to do nothing. Thank you all for your outstanding work of trolling the world <3

Zwack · December 22, 2021, 7:52am

This post tells you what to put on the chip.

A single ndef with a plain text record containing the certificate directly copied from the qr code.