It has become increasingly evident that to open up economies whilst ensuring the Covid-19 infection rate remains under control requires a mechanism whereby a person can present a document that proves they have received a vaccine.
The document needs to ensure the ‘verifier’ can know with confidence:
- All the information on the vaccination certificate is authentic and has not been tampered with (e.g., holder’s identity, vaccine details, dosage, date applied etc.)
- Who issued the vaccination certificate
- The issuer is a recognised and trusted entity, appointed by the Public Health Authority (PHA) of that country. The digital identity of the PHA itself needs to be known and trusted as a final root of trust to foreign countries.
The document can be used by either a domestic verifier (e.g. entry to sporting, entertainment or education events) or a foreign verifier (e.g. border control system at port of entry for international travel).
Paper certificates can be fraudulently obtained, tampered with, lost or damaged, so cryptographically protected ‘smart vaccination certificates (SVC)’ is the preferred approach. ePassport type PKIs are ideally suited to provide these security services, namely data integrity, source authentication and a scalable cross-border trust framework.
The World Health Organisation has taken the lead and developed guidelines for implementing SVC based on PKI technology and a cross-border trust framework which mirrors that of ICAO ePassports. ePassports are documents that make certain ‘claims’ that need to be authenticated cross-border by different verifiers for international travel to work.
This blog provides details of the WHO Smart Vaccination Certificate guidance and how Ascertia ADSS Server can be used to implement this. Contact us to learn more about this approach or to request a pilot deployment.
Please note the WHO guidance is still being finalised so details may change.
What is a Smart Vaccination Certificate?
A Smart Vaccination Certificate (SVC) is a digital medical document that records information on the vaccination(s) that an individual has received. It can be stored in a smartphone or cloud-based server. It can be presented as a paper form, where the paper record links with its ‘digital twin’ using 2D barcodes. It can also be distributed in the form of a PDF which also contains the barcode:
The WHO already provides a paper-based vaccination certificate referred to as the ‘Yellow Book’ and the same concept is re-used but strengthened by the WHO with digital signatures issued through a global PKI trust framework. This can be thought of as a trusted ‘Yellow Book’.
What is the WHO trust framework?
PKI can provide digital trust services, but it requires a set of rules known as a trust framework to ensure technical interoperability and a governance mechanism which ensures real-world trust.
The WHO trust framework is a mechanism that allows any Member State to verify medical documents issued by another Member State are authentic and have not been tampered with. This is achieved by having a consistent set of rules for everyone to follow.
The WHO trust framework leverages PKI to establish a cryptographically protected trust framework for SVCs. It requires Public Health Authorities (PHAs) in Member States to establish and maintain a domestic PKI system with appropriate authorities, applications, people and processes to support the issuance and verification of SVCs.
The WHO trust framework relies on a PKI chain of trust starting with the Country Signing CA (CSCA), to the vaccination certificate issuers, and finally to the actual vaccination certificate that the individual holds. Cross-border interoperability and trust in foreign top-level CSCA root certificates is achieved through a centralised Public Key Directory (PKD) managed by the WHO.
The WHO plays the role of a trust broker identifying the root CA of each Member State, which other Member States can rely on. Bilateral exchange of root CA keys between states is also possible, although obviously this approach is not as scalable.
The SVC issuance Process
The following diagram explains the SVC issuance process:
There are some pre-requisites. Each country must set-up a PKI according to the WHO Trust Framework. This requires setting up a Country Signing CA (CSCA) and publishing its certificates to the WHO global Public Key Directory so that all foreign verifiers have access to a trusted copy of the country’s final trust point when verifying SVC signature chains.
The CSCA will normally be the responsibility of the PHA within the country and it must also establish a ‘Document Signer’ technical component whose role is to sign each Smart Vaccination Certificate that is issued. There could be multiple Document Signers (SVC issuers) within the country depending on how public health services are organised within the country.
The process is as follows:
- A person visits a healthcare site and receives a vaccine. The healthcare system sends the person’s details, vaccination information and related parameters to the Document Signer for signing.
- The Document Signer returns a digitally signed SVC using its secure PKI key held inside a Hardware Security Module (HSM) for maximum security. The digital signature is available as a 2D barcode.
- The healthcare system makes the digitally signed barcode available to the user via their PHA smartphone app, PDF (sent to the user’s email address or downloaded from PHA portal) or printed as a paper certificate.
SVC Verification Process
The following diagram explains the SVC verification process:
The process is as follows:
- The verifier (its IT systems) obtains the top-level CSCA certificate from the National Public Key Directory (PKD), which in turn gets it from the global WHO public directory - the ultimate source of all Member State CSCA certificates. The CSCA certificate contains the trusted public key of the PHA of that country.
- The verifier uses this trusted public key to verify the certificate of the Document Signer of the issuer country and thus obtains their trusted public key.
- The Document Signer’s public key certificate is used to verify the signature on the SVC. This produces an immediate trusted or not trusted result for the vaccination certificate.
The actual verification process is more sophisticated than explained above, (e.g. the revocation status of each certificate is checked to ensure they are still valid at the time of verification). This is achieved through the use of Certificate Revocation Lists (CRLs), a standard PKI approach.
Binding of the Individual’s Identity to the SVC
The Smart Vaccination Certificate is basically an ‘attribute’ certificate that contains a user’s identity (e.g. full name, national ID, health ID, immunisation information system ID, medical record ID) together with their vaccination details. The WHO approach does not introduce a new digital identity method, instead it relies on:
- The user’s identity being checked by the healthcare system before administering the dose (e.g. via their ID card, health card, passport or other government issued ID).
- At the time of verification, the verifier will check the individual’s identity as documented within the digitally signed SVC and compare this with the ID document the user is presenting (e.g. passport, ID card, health card, or other government issued ID). If the government issued document also contains biometric information (e.g. facial picture) then this is also compared with the individual presenting the document.
Key Benefits of the WHO Smart Vaccination Certificate Approach
The key benefits are:
- Cross-border interoperability: At both the governance and technical layer so all Member States are following the same rules.
- Accessibility: Uses existing and proven model for document signing, i.e. ePassports. It also uses standard PKI technology which provides the strongest levels of cryptographic security and is widely accepted for digital trust services globally. This ensures that SVCs are accessible to all.
- Equity: Ensures that SVCs do not further pre-existing inequities or create new ones.
- Protects privacy: Ensures that individual privacy rights are respected and protected
- Scalability, flexibility and sustainability: Ensures that SVCs can reach a global scale (an SVC from any Member State can be verified by any other Member State without requiring bilateral agreements between countries), are sustainable beyond the Covid-19 pandemic for future vaccination types, are adaptable for other contexts and uses, and take into account environmental sustainability of the various solutions implemented.
Implementing the National Trust Framework for SVCs using Ascertia
Ascertia can assist Public Health Authorities in any WHO Member State during the issuance and verification steps of SVC workflow as illustrated:
Ascertia can provide:
- The necessary PKI and digital signature components that are part of its standard ADSS Server product, including:
- Country Signing CA (CSCA)
- Document Signer (DS)
- Master List Signer (MLS)
- National Public Key Directory (NPKD)
- Online Verification Gateways for the verification of SVC from any WHO Member State. These gateways can provide a simple REST based interface to make the job of verifier IT systems simpler
- SDKs (in Java and .NET) to make the issuance and verification of SCVs simple for system integrators
- Comprehensive professional services to help establish the PKI and signing services including establishing governance framework, PKI documentation and technical services for secure PKI deployment and operations
The Ascertia ADSS Server presents a commercial off-the-shelf approach that follows ICAO ePassport standards, ensuring interoperability with the more than 100 States currently issuing ePassports and over 490 million ePassports in circulation. This enables SVC solutions to be rolled out quickly and cost-effectively using well-proven security approaches. Ascertia has an effective global network of partners that can advise on our solutions.
Other Vaccination Certificate Initiatives
There are a number of other approaches to smart vaccination certificates, often also referred to as Vaccine Passports, Covid Passports, Covid Certificates etc. The two main alternatives to WHO’s approach are:
- European Digital Green Certificate (DGC): The European Commission’s DGC initiative mirrors closely the work being done by the WHO in that it is also based on the same ePassports PKI based approach. The main limitation of the European model is that it is initially only aimed at travel within Europe, although it is expected to be integrated with the WHO framework at a later date. Interestingly, DGC is not only for vaccination certificates but can also be used to provide signed information of an individual’s Covid test results or proof that the individual has recovered from Covid. More details can be found on the European Commission’s website.
- IATA Travel Pass: IATA has defined an approach to vaccination certificates based on blockchain technology, decentralised IDs and verifiable credentials based on Self-Sovereign Identity (SSI) rather than a pure PKI approach. Although a number of airlines are backing this initiative, it is aimed at international travel only and not for other general purposes in country (e.g. attending sports events). Furthermore, because it is based on blockchain it introduces a set of new technologies and standards that are not yet fully mature, there is a lack of global interoperability, and lack of well-defined governance structure which can map cryptographic trust to real-world trust on a global basis. More information is available here: IATA - Travel Pass Initiative.
Contact us to learn more about how our solutions can be used to implement WHO Smart Vaccination Certificates or to request.