Digital Travel Credentials

Full Title

Digital Travel Credentials with a focus on Health Credentail Use Case.

Context

To provide reasonably high assurance that a traveller has the Health and other Credentials needed to travel.

• This effort is essentially a proposal to replace the Yellow Card or vaccine passports with Digital Travel Credentials.

Goal

To allow digital proof of a traveler's compliance with requirements for travel that are collected from among many Credential Service Providers. For example: acceptable proofs might inlcude:

1. negative test for a variety of health conditions, like COVID-19.
2. a current certificate of vaccination of a particular disease which often depends on the area to which, or from which, a traveler visits.

Actors

1. Traveler with a portable computing device called hereinafter a smartphone without prejudice to other devices that may meet the criteria.
2. Electronic Health Record (EHR) holds thee actual health event information.
3. Credential Service Provider can generate a health travel credential.
4. Verifier of health credential (also can validate binding to Traveler)
5. Access Agent that receives the verifier presentation and allows access of the Traveler.
6. Suppler of travel accommodation.
7. Internationally recognized Travel Trust Authority with an internet accessible registry.

Note that many of the actors are roles that could be performed by the same entity, for example in some jurisdictions 2 and 3 could come from the same service.

Preconditions

• The Traveler has a smartphone, that can create a verifiable Presentation of the health information.
• The Traveler has acquired a persistent identifier which is linked to a public key pair, like a did and did document.
• The Traveler has loaded a health credential into the smartphone.
• The Traveler's smartphone or the trusted authority has a binding to a proof of presence method.

Scenarios

Primary Scenario:

1. Traveler has a ticket to ride from a supplier they have not previously used.
2. Traveler is informed of the requirement for a Health Travel Credential.
3. Traveler acquires Credential from a health care provider, for example a lab, which creates a record in an EHR.
4. An approved Credential Service Provider accepts the record from the EHR and creates a Health Credential meeting the criteria of the Trust Registry.
5. Access Agent asks traveler for a verifed claim of Health with a nonce.
6. Traveler smartphone sends verifiable Presentation of the Health credential they acquired from verifier.
7. Access Agent asks verifier for proof. (This would be by redirect to verifier through traveler browser)
8. Verifier supplies validated claim (or statement of non-revocation) bound to nonce by redirect to Supplier, if this VC is bound to the traveler’s session with supplier, it can have a lifetime of the duration of bound session.

Alternative Paths:

1. Traveler has a ticket to ride.
2. Access Agent asks traveler for a verifed claim of Health with a nonce.
3. Consumer asks verifier directly for proof with nonce from Supplier.
4. Verifier asks consumer to enter token for proof of presence.
5. Verifier send validated claim with nonce of supplier with short expiration time (10-20 mins - alternate life time of duration of session).
6. Consumer sends verified claim to supplier.
7. Monetization is by advertising from verifier to consumer.

A different path using biometrics:

1. Yoti, a London-based startup which wants to become the “world’s trusted identity platform”, is one of many attempts to provide such a service. Its system stores government id documents and biometrics. If a travel want to use self-check-in and needs to prove their health, they scan a qr code and take a selfie using Yoti’s app. The retailer can be sure of their age, but no one has seen their name or nationality. From the Financial Times.

Failed Paths:

1. Traveler does not get verified claim for some reason.
2. Verified claims fails validation at verifier.
3. Verified claims are false.

Results

Accepted Risks:

1. The Traveller's EHR is compromised and has incorrect information.
2. The Traveller is not healthy and has used a friend's lab results to acquire a health credential bound to the Traveller's did.
3. Session hijacking mitigated with HTTPS and session cookies.
4. MitM attacks mitigated by hardware token bound to origin URL of verifier.
5. Note that the late binding token could be bound to travel supplier as well as needed.
6. The identity of the verifier/validator is discoverable by the travel supplier.
7. User makes choices on which attributes are trusted for sharing with the travel supplier. (For example the user could have both a vaccination cred as well as a positive lab result.)

Post Condition:

1. If validation accepted, and traveler completes payment, the access to the travel conveyance is granted.
2. Note that at the end of the process of validating the traveler's health, the state issued conditions for travel will determine which path to use. The penalty for the trvel supplier follow correct verification proceedurs could result in civil penalties, including loss of use of travel trust registry.

Examples:

1. Late binding token - FIDO U2F token, TEE TPM VSC, etc.
2. Client side code - javascript in a browser, native app, etc.
3. Biometric matching is done in person by the Agent.
4. Biometric matching is done by the smartphone which can unlock access directly.

Dependencies:

1. Web Sites must be trusted before any user information is released.
2. Trust federations can be used to help users make informed decisions.
3. User consent and trust must begin with no traveler information transferred.
4. Standards exist to collect needed attributes where-ever they may be.

Problems:

1. Oppressive governmental or other agencies may track the traveller.
2. The people's right to travel when and where they wish is abridged.
3. It could back-fire in preventing sick people from travelling to a place where they can be cured.
4. A traveller is blocked from legitimate travel because of burocratic or technical malfunctions.

Open Questions

The questions that are known so far are:

1. what rules will be applied to create a COVID or vax card from the various lab reports
2. who will apply the rules to the lab results and create the card.
3. what events should create updates to the card
4. how would updates be propagated to the card.

• for SSI geeks, the various lab reports can be viewed as verifiable credentials.
• the vax card can be viewed as a verifiable presentation.

Workflow Diagram

TK

References

• Digital Travel Credentials (2019-06-25) TRIP 15th Symposium Louise Cole
• The wiki page Phone as Health Care Credential
• Two tech groups say they’ll merge efforts on digital vaccine cards
  • Linux Foundation Public Health
  • Covid-19 Credentials Initiative The CCI Governance Framework a “level 3” governance framework for digital credentials