10A/ Vaccination Certificate Chained Credentials Privacy Aware Presentation & Presentation Exchange -over- http(s)

From IIW

Vaccination Certificate Chained Credentials Privacy Aware Presentation & Presentation Exchange -over- http(s)/ Ronald Koenig

Session Convener: Ronald Koenig

Notes-taker(s): Ingo Wolf

Tags / links to resources / technology discussed, related to this session:

Covid credentials, privacy aware

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Ronald presents the background and outcomes of our intermediate project results within the IDUnion project in Germany.

Privacy issues today exist when you have to proof your vaccination status e.g. going to a restaurant and additionally disclose your identity from your passport. Furthermore there is a central service signing all covid certificates, which provides no utils to revoke those certificates on an individual basis. Within the project we developed a prototype, that enables:

  • combine credentials via holder binding in order to have a single presentation (id credential + vaccination credential)
  • selective disclosure with BBS+ signatures concerning your personal data (no need to provide your name, when entering the restaurant)
  • using an indy ledger as a trust anchor for issuers (root of trust)
  • credential chaining applied to express the delegation of authority to issue vaccination credentials from a single root of trust to all doctors’ agents


Chris asks: is this applicable to distributed/not centralized regional health structures (like in UK)?

Could you technically delegate the authorization with multiple chain elements?

Ronald: yes. You can do that.

Luke: is it comparable to X.509 certificate chaining?

Ronald: It’s similar, but technologically different, based on VCs/VPs. Authorizations are more explicit.

How do you know that the data belongs to the person presenting to the verifier?

This is realized via device binding and the device is protected by biometric authentication of the user.

Is this also usable for the EU certificate actions? Not yet, this is a research project. It is currently a prototype, but not in production.

Is this applicable to other scenarios than issuance at the point of care?

Yes it is possible to extend the use case, but we started with the approach of integrating it into healthcare systems at the PoC.

What challenges did you phase?

Heterogeneity of technology in the SSI techspace (many solutions with limitations and rare interoperability)

How does the solution impact the workflow in the doctors office?

Minimally: the doctors document the vaccination event as before and a QR code is presented to the patient, that scans it to import the credential into his wallet.

Presentation exchange over https was not presented due to time restrictions.