FHIR Chat · Follow up from Health Cards webinar · australia

Stream: australia

Topic: Follow up from Health Cards webinar

view this post on Zulip Grahame Grieve (Oct 08 2021 at 02:35):

Question from the post-webinar survey :

Is it possible to "spoof" a trusted validator to get a valid QR code authenticated?

Answer:

In order to "spoof" a trusted validator you'd need to do one of three things:

  • hack the website of a trusted issuer, and get their private key. Then you can impersonate them as much as you like until they find out about it, and repudiate the key. That's possible if the issuer is careless

  • convince the commons project to register you under the name of a trusted issuer, when you aren't. That would require you to fool the humans who manage the registration process, and you don't know what that entails until you enter into personal (email) discussion with them.

  • convince either the apple or google store to release an illegimate verification app (or probably all of the verification apps) that wrongly claims your certificates are valid.

I'll leave it to the reader to decide how easy any of those paths are. But: you have to compare them with the security of any other approach, not against some non-approach

view this post on Zulip Josh Mandel (Oct 08 2021 at 03:43):

Generally agree with the analysis here. But the final point about verification apps could be misleading. It's up to verifying parties to decide which issuers they want to trust. Verifying parties can write their own apps from scratch, or rely on an existing app, etc. It's not up to Google or Apple to decide who the valid issuers are, and there's not one universally true perspective on who the valid issuers are -- but the mobile app marketplaces do have rules in place so that any Covid related applications need some jurisdictional public health endorsement before they can be distributed on the platform. Still, SMART Health Cards certainly do not require any kind of mobile app that is okayed by Google or Apple. Health Cards can be verified with a web application or a side loaded native application, or a non mobile app, etc. (This is a design feature, not a bug.)

view this post on Zulip Grahame Grieve (Oct 08 2021 at 03:59):

I was more thinking, you could try to replace the Smart Verifier App. Obviously you could write your own that did whatever you want

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -