Digital Travel Credentials: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 6: Line 6:


===Goal===
===Goal===
To allow digital proof of a travelers compliance with requirements for travels that by collected from among many [[Credential Service Provider]]s.
To allow digital proof of a travelers compliance with requirements for travel that are collected from among many [[Credential Service Provider]]s.
 
===Actors===
===Actors===
# Traveler
# Traveler

Revision as of 17:18, 24 January 2021

Full Title

Digital Travel Credentials with a focus on Health Credentail Use Case.

Context

To provide reasonably high assurance that a traveller has the Health and other Credentials needed to travel.

Goal

To allow digital proof of a travelers compliance with requirements for travel that are collected from among many Credential Service Providers.

Actors

  1. Traveler
  2. Electronic Health Record (EHR)
  3. Verifier of claim of majority (also can validate binding to subject)
  4. Access Agent the recieves the verifier prsentation and allows access of the Traveler.
  5. Provider(s) of late binding tokens and client-side code
  6. Internationally recognized Travel Trust Registry

Preconditions

  • The Traveler has acquired a late binding token from any approved Credential Service Provider.
  • The Traveler has registered a claim with verifier using token.
  • The Traveler has established an account with credential supplier using a DID or other persistent ID.

Scenarios

Primary Scenario:

  1. Consumer signs into supplier and has never purchased liquor from this site.
  2. Consumer selects to purchase liquor item
  3. Access Agent asks traveler for a verifed claim of Health with a nonce.
  4. Consumer sends verifiable claim of Health they acquired from verifier.
  5. Access Agent asks verifier for proof. (This would be by redirect to verifier through traveler browser)
  6. Verifier supplies validated claim (or statement of non-revocation) bound to nonce by redirect to Supplier, if this VC is bound to the traveler’s session with supplier, it can have a lifetime of the duration of bound session.
  7. Monetization is by direct micro payment (on the order of $.05) from supplier to verifier.


Alternative Paths:

  1. Consumer selects to purchase liquor item.
  2. Access Agent asks traveler for a verifed claim of Health with a nonce.
  3. Consumer asks verifier directly for proof with nonce from Supplier.
  4. Verifier asks consumer to enter token for proof of presence.
  5. Verifier send validated claim with nonce of supplier with short expiration time (10-20 mins - alternate life time of duration of session).
  6. Consumer sends verified claim to supplier.
  7. Monetization is by advertising from verifier to consumer.

A different path using biometrics:

  1. Yoti, a London-based startup which wants to become the “world’s trusted identity platform”, is one of many attempts to provide such a service. Its system stores government id documents and biometrics. If a travel want to use self-check-in and needs to prove their health, they scan a qr code and take a selfie using Yoti’s app. The retailer can be sure of their age, but no one has seen their name or nationality. From the Financial Times.

Failed Paths:

  1. Traveler does not get verified claim for some reason.
  2. Verified claims fails validation at supplier.
  3. Verified claims are false.

Results

Accepted Risks:

  1. The Traveller is not healthy and has uased a friend's token to enter into computer.
  2. Session hijacking mitigated with HTTPS and session cookies.
  3. MitM attacks mitigated by hardware token bound to origin URL of verifier.
  4. Note that the late binding token could be bound to travel supplier as well as needed.
  5. The identity of the verifier/validator is discoverable by the travel supplier.
  6. User makes choices on which attributes are trusted for sharing with the travel supplier.

Post Condition:

  1. If validation accepted, and traveler completes payment, the access to the travel conveyance.
  2. Note that at the end of the process of validating the traveler's health, the state issued conditions for travel will determine which path to use. The penalty for the trvel supplier follow correct verification proceedurs could result in civil penalties, including loss of use of travel trust registry.

Examples:

  1. Late binding token - FIDO U2F token, TEE TPM VSC, etc.
  2. Client side code - javascript in a browser, native app, etc.

Dependencies:

  1. Web Sites must be trusted before any user information is released.
  2. Trust federations can be used to help users make informed decisions.
  3. User consent and trust must begin with no traveler information transferred.
  4. Standards exist to collect needed attributes where-ever they may be.

Problems:

  1. Oppressive governmental or other agencies may track the traveller.
  2. The people's right to travel when and where they wish is abridged.
  3. It could back-fire in preventing sick people from travelling to a place where they can be cured.
  4. A traveller is blocked from legitimate travel because of burocratic or technical malfunctions.

Workflow Diagram

TK

References