Europe has defined a system for certifying COVID-19 status in terms of vaccination status, test status and recovery following a positive test. To make the system secure, they devised a QR code format (known as ‘HC1’). In simple terms, this QR code contains the requisite data in a defined format which is given an issue date and time and also an expiry date and time and then digitally signed. It is a very secure and well-architected solution to solve a very tightly defined problem. e.g. certifying that an individual has been vaccinated. It is not nor was it ever intended to be used for identification, quite the reverse, it was intended to be used in conjunction with some form of identification, e.g. with a passport in the context of foreign travel.
So why has the Scottish Government made such a poor job of implementing something which had already been designed and implemented across the rest of Europe?
I have two primary complaints about the implementation of this app.
The first concern is why does it only generate QR codes with a validity of 3 days? This seems to be over-engineered and pointless when they issue paper QR codes with a validity of 1 year. Not only does this difference seem to be needless and overcomplicated, but it also comes across as something very underhand by the fact of it being hidden and not called out in any of the accompanying guides or descriptions.
My second concern is around how the expiry date and time are handled within the app. The app doesn’t do anything differently if the QR code has expired. It merely displays the expiry date with nothing to highlight it has expired. So really what’s the point of expiring every 3 days when it doesn’t even flag the fact when it has expired? Incidentally, I found it was possible to have an expired QR code that didn’t get renewed before it expired as it didn’t appear to use the expiry time, only working on the expiry date.
As I mentioned this seems incredibly poor considering what had already been developed across the rest of Europe. One of the best implementations I’ve found comes from a group of students in Austria. I’m just hoping it gets updated to handle UK issued QR codes.
Having spent a lot of time looking into this I wanted to document my thoughts and discoveries. I’ll start slightly in reverse, i.e. my conclusions about the best way of complying digitally with the Covid Passport and then delve much further into the detail for those techies who might be interested.
My conclusion around the app is indeed to use the GreenPassApp which is the result of cooperation by three students at the University of Upper Austria and the Austrian Red Cross. It is also an open-source project so you can review the code if you wish and of course it doesn’t contain any advertising and is free.
The app is available for download from the Apple App Store and had been available from the Google Play Store but was removed. Here is a link to the backstory where you can make up your mind of whether Google was justified in their actions. Anyway, the result of that means if you want to install on Android you should download directly from the App’s homepage.
Once installed on whatever device (tablet or phone) just obtain your printed QR code (either letter or downloaded PDF) and scan the barcodes into the App. The App accepts QR codes that are valid under the European Scheme and hence Scottish QR codes for international travel generated on or after the 1st of November 2021. It is also one of the very few Apps which displays the timestamped expiry date for the generated QR code which I think is so useful.
Now let’s delve deeper into the technical details
First, a quick review of terminology is useful, especially when searching for background info. The European scheme started off life being known as the Digital Green Certificate scheme. Hence why you will see DGC and Green Pass terms used commonly in conjunction with the scheme. However, it was then later changed to European Union Digital Covid Certificate or EUDCC scheme.
When Scotland first started issuing signed QR codes they were signed with either the sprdkey1 or sprdkey2. Now, this is quite ironic because they only issued the QR codes with a 3 day validity period while both of these signer certificates had a 4 year validity period. This is no doubt part of the reason why to issue EUDCC compliant QR codes they had to first generate a new signer certificate with a maximum validity period of 2 years. What’s even worse about all this is that this information is only available because it’s been shared publicly by other European partners, a complete lack of openness from the Scottish Government. The EUDCC scheme shares quite a bit of information about the scheme rules, and the list of trusted signer certificates. See section 3.2 Certificate authorities, validity periods and renewal of Technical Specification for Digital Green Certificates (this is well worth a read). However, it is left up to the local nation to confirm the details of their root certificate. In other words to cement the founding block upon which the entire trust chain is based. You’ve guessed it, the Scottish Government doesn’t publish the details of their root certificate.
Interestingly, sprdkey1 and sprdkey2 (along with wprdkey1 and wprdkey2) were both issued from the issuer: “C=GB, O=SCOTNHS, OU=IT, CN=SCOTTEMPCA”. I’d suggest not a good look issuing live production certificates from something called SCOTTEMPCA.
Now the UK has been added as a Non-EU country to the EUDCC scheme the following four Country Signing Certificate Authorities (CSCA) root certificates have been generated, but as I said not made publicly available as the foundation of the trust model. The UK does openly publish a list of valid signer certificate public keys which while useful doesn’t embrace the trust model properly.
CSCA Certificate CN=CSCA_DGC_GB_NI_01, OU=DHCNI, O=Department of Health, L=Belfast, ST=NI, C=GB
CSCA Certificate CN=Scotland DCC CSCA, ST=Scotland, O=NHS Scotland, C=GB email@example.com
CSCA Certificate CN=Northern Ireland DCC CSCA, OU=DHCNI, ST=Northern Ireland, O=Department of Health, C=GB firstname.lastname@example.org
CSCA Certificate CN=England DCC CSCA, O=NHS Digital, C=GB email@example.com
Because these certificates aren’t publicly available that’s all I know about them, e.g. not issue nor expiry dates.
However, thanks to our European partners we can glean the following 7 Digital Signer Certificates that have been issued from these roots and incorporated into the list of trusted signers.
Document Signer CN=DSC_DGC_GB_NI_01, OU=DHCNI, O=Department of Health, L=Belfast, ST=NI, C=GB Vaccinations
Document Signer CN=DSC_DCC_GB_JE_02, ST=Jersey, O=NHS Digital, C=GB
Document Signer CN=DSC_PRD_GB_NSS_01, ST=Scotland, O=NHS Scotland, C=GB 184.108.40.206.220.127.116.11.1, 18.104.22.168.22.214.171.124.2
Document Signer CN=DSC_DCC_GB_GG_02, ST=Guernsey, O=NHS Digital, C=GB
Document Signer CN=DSC_DCC_GB_GI_02, ST=Gibraltar, O=NHS Digital, C=GB
Document Signer CN=DSC_DCC_GB_IM_02, ST=Isle Of Man, O=NHS Digital, C=GB
Document Signer CN=DSC_DCC_GB_ENG_02, ST=England & Wales, O=NHS Digital, C=GB
Another significant feature of the scheme to be aware of is the lack of any facility to revoke an individual QR code. If invalid codes are issued (yes, this has happened) the only way to invalidate them is by revoking the signer certificate.
Being inducted into the formal European scheme has the advantage not only of greater freedom to travel but also greater freedom to find digital apps which will work and accept these QR codes. Most are better than the official Scottish app but unless you know the language or they have the facility to operate using English that can make things difficult. That said, I would recommend taking a look at the free open source app from the Hagenberg University of Applied Science called GreenPassApp.
Continuing down the techie rabbit hole here is my cobbled-together Python script along with the Python library requirements.txt which decodes and verifies NHS-issued QR codes supplied as an online argument with the name of a graphic file (usually PNG) containing a single QR code.
Having emailed the RFC822 Namefirstname.lastname@example.org as contained in the issuer and waiting six months I eventually received a reply pointing me at the URL also contained in the issuer certificates which is now live (wasn’t 6 months ago when I tried).
Here you will find a root called eHealth Root and England, Scotland and Northern Ireland DCC CSCA intermediate certificate authorities thus completing the trust chain, at last.