Digital Travel Credentials: Difference between revisions
(77 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Full Title== | ==Full Title== | ||
[[Digital Travel Credentials]] with a focus on Health | [[Digital Travel Credentials]] with a focus on Health Credential Use Case. | ||
==Context== | ==Context== | ||
To provide reasonably high assurance that a | To provide reasonably high assurance that a traveler has the Health and other Credentials needed to travel. | ||
* This effort is essentially a proposal to replace the [https://www.washingtonpost.com/lifestyle/travel/yellow-card-vaccine-passport/2020/12/30/746c0558-40b7-11eb-8db8-395dedaaa036_story.html Yellow Card or vaccine passports] with [[Digital Travel Credentials]]. | |||
* See te wiki page | |||
* The working assumption is that the user would put certificates on their own phone at their own discretion. | |||
* The use cases are not dependent on a nation-wide repository, but can work with any regional or even laboratory certified clinical electronic health record (EHR) repository. | |||
===Goal=== | ===Goal=== | ||
To allow digital proof of a traveler's compliance with requirements for travel that are collected from among many [[Credential Service Provider]]s. For example: acceptable proofs might | To allow digital proof of a traveler's compliance with requirements for travel that are collected from among many [[Credential Service Provider]]s. For example: acceptable proofs might include: | ||
# | # Negative test for a variety of health conditions, like COVID-19. | ||
# | # A current certificate of vaccination of a particular disease which often depends on the area to which, or from which, a traveler visits. | ||
===Actors=== | ===Actors=== | ||
# Traveler | # Traveler with a portable computing device called hereinafter a smartphone without prejudice to other devices that may meet the criteria. | ||
# Electronic Health Record (EHR) | # Electronic Health Record (EHR) holds the actual health event information and is prevented from blocking patient access to the information. | ||
# Verifier of | # [[Credential Service Provider]] can generate a health travel credential from Patient Health Information (PHI) from an EHR. | ||
# Access Agent | # Verifier of health credential (also can validate binding to Traveler) | ||
# | # Access Agent that receives the verifier presentation and allows access of the Traveler. | ||
# Internationally recognized Travel Trust | # Suppler of travel accommodation. | ||
# Internationally recognized Travel Trust Authority with an internet accessible registry. | |||
Note that many of the actors are roles that could be performed by the same entity, for example in some jurisdictions 2 and 3 could come from the same service. Health records may be in regional centers, hospitals, labs or any HIPAA covered entity that has been certified. It is expected that some of these entities have also chose to be a Credential Service Provider for [[Digital Travel Credentials]]. | |||
==Preconditions== | ==Preconditions== | ||
* The Traveler has | * The Traveler has a smartphone, that can create a verifiable Presentation of the health information. | ||
* The Traveler has acquired a persistent identifier which is linked to a public key pair | * The Traveler has acquired a persistent digital identifier which is linked to a public key pair. | ||
* The Traveler has loaded a health credential into the smartphone. | * The Traveler has loaded a health credential into the smartphone. | ||
* The Traveler's smartphone or the trusted authority has a binding to a proof of presence method. | * The Traveler's smartphone or the access agent and trusted authority has a binding to a proof of presence method. | ||
* The current (untested) assumption is that consent to release credentials is contained in some phone feature. These are two possibilities: | |||
# The credential is tied to the user wallet in such a way that a user gesture (like a finger scan) is required before release. | |||
# The credential is transmitted over NFC which has a short range (see [https://tcwiki.azurewebsites.net/index.php?title=Smartphone_Wireless Smartphone wireless].) | |||
Digital Identifiers can be issued as Medical Record Locators, National Health IDs or as Decentralized Identifiers (dids and did-documents). | |||
==Scenarios== | ==Scenarios== | ||
Primary Scenario: | Primary Scenario: | ||
#Traveler has a ticket to ride from a supplier they have not previously used. | #Traveler has a ticket to ride from a supplier they have not previously used. | ||
#Access Agent asks traveler for a | #Traveler is informed of the requirement for a Health Travel Credential. | ||
#Traveler smartphone sends verifiable | #Traveler acquires Credential from a health care provider, for example a lab, which populates a record in an EHR. | ||
#An approved [[Credential Service Provider]] accepts the record from the EHR and creates a Health Credential meeting the criteria of the Trust Registry. | |||
#Access Agent asks traveler for a verified claim of Health with a nonce. | |||
#Traveler smartphone sends verifiable Presentation of the Health credential they acquired from verifier. | |||
#Access Agent asks verifier for proof. (This would be by redirect to verifier through traveler browser) | #Access Agent asks verifier for proof. (This would be by redirect to verifier through traveler browser) | ||
#Verifier supplies validated claim (or statement of non-revocation) bound to nonce by redirect to Supplier, if this VC is bound to the traveler’s session with supplier, it can have a lifetime of the duration of bound session. | #Verifier supplies validated claim (or statement of non-revocation) bound to nonce by redirect to Supplier, if this VC is bound to the traveler’s session with supplier, it can have a lifetime of the duration of bound session. | ||
Alternative Paths: | Alternative Paths (eg a hydroplane going from Seattle to Victoria): | ||
#Traveler has a ticket to ride. | #Traveler has a ticket to ride. | ||
# | #Supplier asks traveler for a verified claim of Health with a nonce. | ||
#Consumer asks verifier directly for proof with nonce from Supplier. | #Consumer asks verifier directly for proof with nonce from Supplier. | ||
#Verifier asks consumer to enter token for proof of presence. | #Verifier asks consumer to enter token for proof of presence. | ||
#Verifier | #Verifier sends validated claim with nonce of supplier with short expiration time (10-20 mins - alternate life time of duration of session). | ||
#Consumer sends verified claim to supplier. | #Consumer sends verified claim to supplier that can let them board immediately. | ||
# | |||
Worst Case Scenario. | |||
# Family traveling together, husband and wife have their own credentials on their own phones. | |||
# Children credentials must be located on someone else's phone. | |||
# The current path leads to one wallet per credential. | |||
# If that cannot be accommodated one parent will be searching around on their phone for many additional credentials. | |||
# Of the whole family, one credential is not accepted by the security agent and the whole family misses the flight. | |||
# There is no agency at the airport that can rectify the problem. | |||
# One mitigation for this scenario would be a self-check web site where the parents could check every credential before leaving home. | |||
A different path using biometrics: | A different path using biometrics: | ||
Line 52: | Line 73: | ||
==Results== | ==Results== | ||
Accepted Risks: | Accepted Risks: | ||
#The | #The Traveler's EHR is compromised and has incorrect information. | ||
#The Traveler is not healthy and has used a friend's lab results to acquire a health credential bound to the Traveler's did. | |||
#Session hijacking mitigated with HTTPS and session cookies. | #Session hijacking mitigated with HTTPS and session cookies. | ||
#MitM attacks mitigated by hardware token bound to origin URL of verifier. | #MitM attacks mitigated by hardware token bound to origin URL of verifier. | ||
#Note that the late binding token could be bound to travel supplier as well as needed. | #Note that the late binding token could be bound to travel supplier as well as needed. | ||
#The identity of the verifier/validator is discoverable by the travel supplier. | #The identity of the verifier/validator is discoverable by the travel supplier. | ||
#User makes choices on which attributes are trusted for sharing with the travel supplier. | #User makes choices on which attributes are trusted for sharing with the travel supplier. (For example, the user could have both a vaccination credential as well as a positive lab result.) | ||
Post Condition: | Post Condition: | ||
#If validation accepted, and traveler completes payment, the access to the travel conveyance. | #If validation accepted, and traveler completes payment, the access to the travel conveyance is granted. | ||
#Note that at the end of the process of validating the traveler's health, the state issued conditions for travel will determine which path to use. The penalty for the | #Note that at the end of the process of validating the traveler's health, the state issued conditions for travel will determine which path to use. The penalty for the travel supplier failing to follow correct verification procedures could result in civil penalties, including loss of use of travel trust registry. | ||
Examples: | Examples: | ||
#Late binding token - FIDO U2F token, TEE TPM VSC, etc. | # Late binding token - FIDO U2F token, TEE TPM VSC, etc. | ||
#Client side code | # Client-side code: JavaScript in a browser, native app, etc. | ||
# Biometric matching is done in person by the Agent. | |||
# Biometric matching is done by the smartphone which can unlock access directly. | |||
# [https://journals.sagepub.com/doi/abs/10.1258/135763307781645211 Access to efficient health services for tourists - an evaluation of the economic benefits] shows other places where digital travel creds can be helpful. | |||
Dependencies: | Dependencies: | ||
Line 74: | Line 99: | ||
Problems: | Problems: | ||
# Oppressive governmental or other agencies may track the | # Oppressive governmental or other agencies may track the traveler. | ||
# The people's right to travel when and where they wish is abridged. | # The people's right to travel when and where they wish is abridged. | ||
# It could back-fire in preventing sick people from | # It could back-fire in preventing sick people from traveling to a place where they can be cured. | ||
# A | # A traveler is blocked from legitimate travel because of bureaucratic or technical malfunctions. | ||
# Most travel notifications systems are highly privacy invasive. Consider the [https://www.iata.org/en/publications/timatic/ IATA system]:<blockquote>IATA Timatic is used by airlines and travel agents to verify passenger travel document requirements for their destination and any transit points. Airlines use various Timatic solutions to ensure their customers are compliant with border control rules and regulations. Timatic delivers personalized information based on the passenger's destination, transit points, nationality, travel document, residence country etc.</blockquote> | |||
# [https://www.economist.com/science-and-technology/2021/01/26/the-promise-and-perils-of-vaccine-passports?utm_campaign=the-economist-today&utm_medium=newsletter&utm_source=salesforce-marketing-cloud The promise and perils of vaccine passports] from the Economist 2021-01-26 - They are divisive, politically tricky and probably inevitable | |||
==Open Questions== | |||
The questions that are known so far are: | |||
# What rules will be applied to create a COVID or vax card from the various lab reports. Current thinking is a policy framework that can be filled is as governmental rules are changed to adapt to the progress against COVID. | |||
# Who will apply the rules to the lab results and create the card. This may not need to be solved immediately. | |||
# What events should create updates to the card. Changes could be created by changes in scientific knowledge or governmental policy. | |||
# How would updates be propagated to the card. Perhaps the card needs a very short lifetime, like 24 hours before travel commences. | |||
*for SSI geeks, the various lab reports can be viewed as verifiable credentials. | |||
*the vax card can be viewed as a verifiable presentation. | |||
==Workflow Diagram== | ==Workflow Diagram== | ||
Line 84: | Line 121: | ||
==References== | ==References== | ||
* [https://www.icao.int/Meetings/TRIP-Symposium-2019/PublishingImages/Pages/Presentations/Digital%20Travel%20Credentials.pdf Digital Travel Credentials] (2019-06-25) TRIP 15th Symposium Louise Cole | * [https://www.icao.int/Meetings/TRIP-Symposium-2019/PublishingImages/Pages/Presentations/Digital%20Travel%20Credentials.pdf Digital Travel Credentials] (2019-06-25) TRIP 15th Symposium Louise Cole | ||
* [https://en.wikipedia.org/wiki/International_Certificate_of_Vaccination_or_Prophylaxis Int'l Certificate of Vaccination or Prophylaxis]. The Yellow Card. | |||
* [https://www.nytimes.com/2021/02/06/health/covid-vaccination-card.html Covid Vaccination Scams] from bad actors can overwhelm credential efforts that are not prepared for them. | |||
* [https://www.iata.org/en/pressroom/pr/2021-01-19-01/ Emirates to Become one of the First Airlines Globally to Trial IATA Travel Pass] released 2021-01-19 | |||
* [https://www.iata.org/contentassets/43b7bfbb70ad4db18d47c41f34c9a38e/iata-travel-pass-media-briefing.pdf The IATA plan is to have travel pass available on app stores in 2021 Q1.] | |||
* The wiki page [[Phone as Health Care Credential]] | * The wiki page [[Phone as Health Care Credential]] | ||
* [https://www.nbcnews.com/news/us-news/live-blog/2020-12-16-covid-live-updates-vaccine-news-n1251352/ncrd1251445#liveBlogHeader Two tech groups say they’ll merge efforts on digital vaccine cards] | * [https://www.nbcnews.com/news/us-news/live-blog/2020-12-16-covid-live-updates-vaccine-news-n1251352/ncrd1251445#liveBlogHeader Two tech groups say they’ll merge efforts on digital vaccine cards] | ||
** [https://www.lfph.io/ Linux Foundation Public Health] | ** [https://www.lfph.io/ Linux Foundation Public Health] | ||
** [https://www.covidcreds.org/ Covid-19 Credentials Initiative] [https://wiki.trustoverip.org/download/attachments/65792/CCI%20GF%20Intro%20-%20200701.pptx.pdf?version=1&modificationDate=1594675254401&api=v2 The CCI Governance Framework a “level 3” governance framework for digital credentials] | ** [https://www.covidcreds.org/ Covid-19 Credentials Initiative] [https://wiki.trustoverip.org/download/attachments/65792/CCI%20GF%20Intro%20-%20200701.pptx.pdf?version=1&modificationDate=1594675254401&api=v2 The CCI Governance Framework a “level 3” governance framework for digital credentials] | ||
* [https://www.fiercehealthcare.com/tech/microsoft-epic-and-mayo-clinic-join-effort-to-accelerate-digital-covid-19-vaccine-records VCI Vaccination Credential Initiative] news report | |||
** [https://www.youtube.com/watch?v=f9NwOCkuelc&%3Bfeature=youtu.be Nashvile Health Care Council Video] about [https://www.changehealthcare.com/covid-19 Change Healthcare Covid-19 push credential] into smartphone wallet. | |||
* The Trump Administration started [https://www.usatoday.com/in-depth/news/2020/12/16/covid-19-vaccine-data-supply-chain-software-immunization-registry-tiberius/3879655001/ an initiative] that is incredibly complex. Any such complexity is certain to break reliability, which is what any person wants that is trying to board an airplane. | |||
* [https://www.ibm.com/products/digital-health-pass IBM Digital Health Pass] Designed to provide organizations with a smart way to bring people back to a physical location, such as a workplace, school, stadium or airline flight. | |||
* [https://www.nytimes.com/2021/02/04/travel/coronavirus-vaccine-passports.html Coming Soon: The ‘Vaccine Passport’] New York Times 2021-02-04 | |||
* [https://www.adalovelaceinstitute.org/news/vaccine-passports-covid-status-apps-call-public-evidence/ Vaccine passports and COVID status apps: call for public evidence] Ada Lovelace Institute | |||
* [https://www.adalovelaceinstitute.org/project/international-monitor-vaccine-passports-covid-status-apps/ International monitor: vaccine passports and COVID status apps] A tracker collating developments in policy and practices around vaccine certification and COVID status apps as they emerge around the world. (866 kB) | |||
* [https://www.prnewswire.com/news-releases/lumedic-launches-new-digital-health-passport-that-offers-providence-patients-secure-digital-proof-of-covid-19-vaccination-status-301221741.html Lumedic Launches New Digital Health Passport That Offers Providence Patients Secure Digital Proof of COVID-19 Vaccination Status] in conjunction with Providence hospitals, like Swedish | |||
[[Category:Use Cases]] | [[Category:Use Cases]] | ||
[[Category:Health]] | [[Category:Health]] |
Latest revision as of 00:52, 4 May 2021
Full Title
Digital Travel Credentials with a focus on Health Credential Use Case.
Context
To provide reasonably high assurance that a traveler has the Health and other Credentials needed to travel.
- This effort is essentially a proposal to replace the Yellow Card or vaccine passports with Digital Travel Credentials.
- See te wiki page
- The working assumption is that the user would put certificates on their own phone at their own discretion.
- The use cases are not dependent on a nation-wide repository, but can work with any regional or even laboratory certified clinical electronic health record (EHR) repository.
Goal
To allow digital proof of a traveler's compliance with requirements for travel that are collected from among many Credential Service Providers. For example: acceptable proofs might include:
- Negative test for a variety of health conditions, like COVID-19.
- A current certificate of vaccination of a particular disease which often depends on the area to which, or from which, a traveler visits.
Actors
- Traveler with a portable computing device called hereinafter a smartphone without prejudice to other devices that may meet the criteria.
- Electronic Health Record (EHR) holds the actual health event information and is prevented from blocking patient access to the information.
- Credential Service Provider can generate a health travel credential from Patient Health Information (PHI) from an EHR.
- Verifier of health credential (also can validate binding to Traveler)
- Access Agent that receives the verifier presentation and allows access of the Traveler.
- Suppler of travel accommodation.
- Internationally recognized Travel Trust Authority with an internet accessible registry.
Note that many of the actors are roles that could be performed by the same entity, for example in some jurisdictions 2 and 3 could come from the same service. Health records may be in regional centers, hospitals, labs or any HIPAA covered entity that has been certified. It is expected that some of these entities have also chose to be a Credential Service Provider for Digital Travel Credentials.
Preconditions
- The Traveler has a smartphone, that can create a verifiable Presentation of the health information.
- The Traveler has acquired a persistent digital identifier which is linked to a public key pair.
- The Traveler has loaded a health credential into the smartphone.
- The Traveler's smartphone or the access agent and trusted authority has a binding to a proof of presence method.
- The current (untested) assumption is that consent to release credentials is contained in some phone feature. These are two possibilities:
- The credential is tied to the user wallet in such a way that a user gesture (like a finger scan) is required before release.
- The credential is transmitted over NFC which has a short range (see Smartphone wireless.)
Digital Identifiers can be issued as Medical Record Locators, National Health IDs or as Decentralized Identifiers (dids and did-documents).
Scenarios
Primary Scenario:
- Traveler has a ticket to ride from a supplier they have not previously used.
- Traveler is informed of the requirement for a Health Travel Credential.
- Traveler acquires Credential from a health care provider, for example a lab, which populates a record in an EHR.
- An approved Credential Service Provider accepts the record from the EHR and creates a Health Credential meeting the criteria of the Trust Registry.
- Access Agent asks traveler for a verified claim of Health with a nonce.
- Traveler smartphone sends verifiable Presentation of the Health credential they acquired from verifier.
- Access Agent asks verifier for proof. (This would be by redirect to verifier through traveler browser)
- Verifier supplies validated claim (or statement of non-revocation) bound to nonce by redirect to Supplier, if this VC is bound to the traveler’s session with supplier, it can have a lifetime of the duration of bound session.
Alternative Paths (eg a hydroplane going from Seattle to Victoria):
- Traveler has a ticket to ride.
- Supplier asks traveler for a verified claim of Health with a nonce.
- Consumer asks verifier directly for proof with nonce from Supplier.
- Verifier asks consumer to enter token for proof of presence.
- Verifier sends validated claim with nonce of supplier with short expiration time (10-20 mins - alternate life time of duration of session).
- Consumer sends verified claim to supplier that can let them board immediately.
Worst Case Scenario.
- Family traveling together, husband and wife have their own credentials on their own phones.
- Children credentials must be located on someone else's phone.
- The current path leads to one wallet per credential.
- If that cannot be accommodated one parent will be searching around on their phone for many additional credentials.
- Of the whole family, one credential is not accepted by the security agent and the whole family misses the flight.
- There is no agency at the airport that can rectify the problem.
- One mitigation for this scenario would be a self-check web site where the parents could check every credential before leaving home.
A different path using biometrics:
- Yoti, a London-based startup which wants to become the “world’s trusted identity platform”, is one of many attempts to provide such a service. Its system stores government id documents and biometrics. If a travel want to use self-check-in and needs to prove their health, they scan a qr code and take a selfie using Yoti’s app. The retailer can be sure of their age, but no one has seen their name or nationality. From the Financial Times.
Failed Paths:
- Traveler does not get verified claim for some reason.
- Verified claims fails validation at verifier.
- Verified claims are false.
Results
Accepted Risks:
- The Traveler's EHR is compromised and has incorrect information.
- The Traveler is not healthy and has used a friend's lab results to acquire a health credential bound to the Traveler's did.
- Session hijacking mitigated with HTTPS and session cookies.
- MitM attacks mitigated by hardware token bound to origin URL of verifier.
- Note that the late binding token could be bound to travel supplier as well as needed.
- The identity of the verifier/validator is discoverable by the travel supplier.
- User makes choices on which attributes are trusted for sharing with the travel supplier. (For example, the user could have both a vaccination credential as well as a positive lab result.)
Post Condition:
- If validation accepted, and traveler completes payment, the access to the travel conveyance is granted.
- Note that at the end of the process of validating the traveler's health, the state issued conditions for travel will determine which path to use. The penalty for the travel supplier failing to follow correct verification procedures could result in civil penalties, including loss of use of travel trust registry.
Examples:
- Late binding token - FIDO U2F token, TEE TPM VSC, etc.
- Client-side code: JavaScript in a browser, native app, etc.
- Biometric matching is done in person by the Agent.
- Biometric matching is done by the smartphone which can unlock access directly.
- Access to efficient health services for tourists - an evaluation of the economic benefits shows other places where digital travel creds can be helpful.
Dependencies:
- Web Sites must be trusted before any user information is released.
- Trust federations can be used to help users make informed decisions.
- User consent and trust must begin with no traveler information transferred.
- Standards exist to collect needed attributes where-ever they may be.
Problems:
- Oppressive governmental or other agencies may track the traveler.
- The people's right to travel when and where they wish is abridged.
- It could back-fire in preventing sick people from traveling to a place where they can be cured.
- A traveler is blocked from legitimate travel because of bureaucratic or technical malfunctions.
- Most travel notifications systems are highly privacy invasive. Consider the IATA system:
IATA Timatic is used by airlines and travel agents to verify passenger travel document requirements for their destination and any transit points. Airlines use various Timatic solutions to ensure their customers are compliant with border control rules and regulations. Timatic delivers personalized information based on the passenger's destination, transit points, nationality, travel document, residence country etc.
- The promise and perils of vaccine passports from the Economist 2021-01-26 - They are divisive, politically tricky and probably inevitable
Open Questions
The questions that are known so far are:
- What rules will be applied to create a COVID or vax card from the various lab reports. Current thinking is a policy framework that can be filled is as governmental rules are changed to adapt to the progress against COVID.
- Who will apply the rules to the lab results and create the card. This may not need to be solved immediately.
- What events should create updates to the card. Changes could be created by changes in scientific knowledge or governmental policy.
- How would updates be propagated to the card. Perhaps the card needs a very short lifetime, like 24 hours before travel commences.
- for SSI geeks, the various lab reports can be viewed as verifiable credentials.
- the vax card can be viewed as a verifiable presentation.
Workflow Diagram
TK
References
- Digital Travel Credentials (2019-06-25) TRIP 15th Symposium Louise Cole
- Int'l Certificate of Vaccination or Prophylaxis. The Yellow Card.
- Covid Vaccination Scams from bad actors can overwhelm credential efforts that are not prepared for them.
- Emirates to Become one of the First Airlines Globally to Trial IATA Travel Pass released 2021-01-19
- The IATA plan is to have travel pass available on app stores in 2021 Q1.
- The wiki page Phone as Health Care Credential
- Two tech groups say they’ll merge efforts on digital vaccine cards
- VCI Vaccination Credential Initiative news report
- Nashvile Health Care Council Video about Change Healthcare Covid-19 push credential into smartphone wallet.
- The Trump Administration started an initiative that is incredibly complex. Any such complexity is certain to break reliability, which is what any person wants that is trying to board an airplane.
- IBM Digital Health Pass Designed to provide organizations with a smart way to bring people back to a physical location, such as a workplace, school, stadium or airline flight.
- Coming Soon: The ‘Vaccine Passport’ New York Times 2021-02-04
- Vaccine passports and COVID status apps: call for public evidence Ada Lovelace Institute
- International monitor: vaccine passports and COVID status apps A tracker collating developments in policy and practices around vaccine certification and COVID status apps as they emerge around the world. (866 kB)
- Lumedic Launches New Digital Health Passport That Offers Providence Patients Secure Digital Proof of COVID-19 Vaccination Status in conjunction with Providence hospitals, like Swedish