This blog post is the first of a two-piece series on COVID certificate verifications by the Global COVID Certificate Network (GCCN), an LFPH initiative that facilitates the safe and free movement of individuals globally during the COVID pandemic. LFPH recently completed the proof-of-concept (POC) of the GCCN Trust Registry Network, a highly scalable and flexible trust infrastructure for COVID certificates, and will host two webinars about the POC: on May 10, 2022 at 8 am ET / 2 pm CEST, and May 11, 2022 at 7 pm PT / (+1d) 10 am HKT, to have a live demo and Q&A session.
The world continues to grapple with safe processes and procedures to bring international travel back to normal through COVID certificate systems. The idea is simple—show a valid certificate that suggests satisfactory COVID status and you are cleared to fly. Does that remind you of another document we were already using prior to COVID?
Yes, a passport is a sensitive term these days. It is technically important to make a clear distinction between a passport and a COVID certificate. A passport is an identity and travel document required for border crossing at all times. By contrast, a COVID certificate is essentially a form of medical record whose presentation is only needed for dealing with the pandemic. We strongly recommend against mixing the terms together, as in “vaccine passport”.
However, to answer the question of how a border control officer can know if a COVID certificate is valid, it is important to understand the technical architecture behind today’s passport system. This will explain why we can’t use the same architecture for COVID certificates at the global level and why the Global COVID Certificate Network (GCCN) Trust Registry Network is needed.
Understanding the mechanics of ePassports
A machine readable non-electronic passport has been essential for international travel for a long time. With advancements in technology, many countries have upgraded to ePassports, which add one security feature to the non-electronic passport: an embedded RFID chip that stores our biometrics (see picture below). The purpose of an embedded chip is quite clear—reducing the possibility of fraud. Let’s look at how it does that.
The International Civil Aviation Organization (ICAO), a specialized UN agency, defined the global standard for countries to follow when issuing non-electronic passports and ePassports. This ensures countries can recognize passports from each other.
To issue an ePassport, each country needs to establish a single national trust point operated by a government agency (e.g. in Germany, that is the Federal Office for Information Security). The national government agency then generates a digital certificate as the root of digital trust for itself and uses this certificate to issue another type of digital certificate to agencies issuing citizens ePassports day-to-day, e.g. embassies and domestic passport agencies. When these passport issuing agencies issue ePassports, they sign the documents with their private keys associated with the digital certificates issued by the national government agency. This generates a digital signature which is added to an ePassport. The digital certificate of the national government agency, the digital certificates of the passport issuing agencies and the digital signatures in the ePassports then form chains-of-trust. One end of the chain is anchored in the authority of the issuing country and the other in the chips of ePassports.
When using ePassports to cross borders, the border control system retrieves the digital signature from the chip and validates the authenticity by checking backwards along the chain of trust to ensure that a digital signature comes from a valid passport issuing agency and the digital certificate of the passport issuing agency is issued by the national government agency.
To conduct the ePassport validation, the receiving country needs to have the public key of the issuing country, which is always in pairs with the private key used by the issuing country to issue the ePassport in the first place. ICAO offers a trust anchoring service for countries to easily and securely exchange and access each other’s public keys. Some countries build their own directory through bilateral exchanges or use ICAO’s public download service. Regardless of how it is implemented, in the end the functionality is the same: a federated network for validating digital signatures.
The ePassport system cannot be used for COVID certificates
Could we use the ICAO trust anchoring approach for validating COVID certificates? While we want a global mechanism for COVID certificates that ensures the same level of security, the current ePassport model cannot address the level of complexity we are faced with COVID certificates for three reasons.
First, there are no established trust chains for COVID certificates. As described above, every country already has established simple trust chains for ePassports. Unfortunately, COVID certificates are not as centralized or coordinated — even if we only consider the simpler cases of vaccine certificates and test results.
- Since vaccinations are given at the national level in many countries, it is more feasible to develop a chain of trust similar to what we see in the ePassport system. But if test results need to be included as well, it gets much harder. There are many different organizations and sites issuing tests, making it a very fragmented landscape. In addition, the government is often much less involved in the testing system, making a top-down chain of trust very expensive and difficult to build.
- There have emerged many trust chains for test results from the private sector that work in parallel to government-operated ones. It doesn’t appear that we will have one clear national central authority in every country like we do in the ePassport situation.
Second, there are no universal/dominant standards and policies (governance) that most authorities are following. If you are interested in learning about the four major standards that governments are implementing, check out this article we wrote. Unlike ePassports, there is no universal or even a dominant standard that everyone is following, and currently no interoperability between the standards.
- The EU Digital COVID Certificate (DCC) has the greatest adoption among countries, but it is unlikely that all countries and jurisdictions will adopt this one standard because they are not agreeing on all the technical aspects for a COVID certificate system nor the policies for the issuance of these certificates, e.g. applicable vaccine types and brands, number of doses, applicable test types and vendors. India continues to move ahead with the DIVOC specification.
- In the near term, there is likely to be further convergence on the technical front but the likelihood of policy alignment is low. This means countries will need to check and understand each other’ policies before deciding if they can accept a COVID certificate from one another, even if they are technically interoperable.
- We don’t have such fragmentation of standards and policies with ePassports because everyone is following the same rules defined in the ICAO standard.
Third, COVID certificates are being used much more broadly than ePassports. While this may not apply to the question of how a border control officer knows if a COVID certificate is valid, it is important to consider the real-world usage of COVID certificates which can be used much more broadly than crossing borders, for activities such as entering a sports venue and dining in at a restaurant.
- There is currently a high level of uncertainty regarding who will need to verify COVID certificates as policies keep changing and evolving.
- The current ePassport mechanism only allows a limited group of entities, primarily border control offices, to participate as verifiers who can access the issuing countries’ signing information and check signatures against it.
- The private sector organizations, who are either mandated or voluntarily validating COVID status, struggle to get the issuing countries’ signing keys to do meaningful checks of international travelers.
Given all of this, we do not believe that from a technical point-of-view the current ePassport mechanism is sufficient for COVID certificates at the global level. However, we do expect many ecosystems using a centralized or federated trust anchoring service for public key access and exchanges, like the ICAO service and the EU Gateway, to co-exist. Some may be run by governments while others will be operated by private sector organizations.
To help a border control officer know if a COVID certificate is valid, we need a global trust architecture—a platform managed in a decentralized manner, to bring all these disparate ecosystems together and to provide a mechanism that allows them to determine who they trust and then access trusted parties’ signing information to verify COVID certificates. This approach will ultimately result in the border control officers being able to validate COVID certificates as easily as ePassports, with only one additional check—if the certificate comes from a trusted issuer by its country.
We are solving this problem with the GCCN Trust Registry Network
Recognizing these challenges regarding decentralization, coordination and broader use, we launched the Global COVID Certificate Network (GCCN) at LFPH in June, with an initial focus on building a Trust Registry Network. The GCCN Trust Registry Network allows different COVID certificate ecosystems, which can be a political and economic union (e.g. the EU), a nation state (e.g. India), a jurisdiction (e.g. New York State), an industry organization (e.g. ICAO) or a company (e.g. IBM), to join as a Network entry and find each other on the Network, and look up information on each other’s COVID certificate policies—a discovery mechanism. Then based on the discovery, countries will decide whose certificates they accept and use the Network to contact trusted parties and get their public keys for signature validation.
The steps of looking up information and deciding whose certificates to accept don’t exist in the ePassport mechanism because we know all participants are known nation states and everyone is practicing the same standard. COVID certificates need a more decentralized architecture because the issuers are not as well-defined and the standards about what constitutes a valid certificate have not been agreed upon at a global level. The GCCN Trust Registry Network provides a discovery mechanism for trust building as well as a way for countries and other COVID certificate issuing entities to easily and securely exchange and access each other’s signing keys once they decide to trust one another. The trust building could also be an ongoing process as new entries will be added and old entries updated.
LFPH has defined the initial confirmation needed for each entry of the Network and looks to work with partners with expertise in governance to further define a reference governance framework. The initial confirmation of each entry includes making sure they are who they say they are – and that they are submitting legitimate information (see a snapshot of the entry submission form below). Shaping this process will be a key part of the governance element. Any verifiers that want to use the Network for validation will use it as a discovery platform first to determine who they are going to trust as issuers and build their own trust list of trusted issuers. This accelerates the process of agreeing verification between countries.
Now that we understand the technical mechanism behind the scene to enable border officers to check the validity of COVID certificates, you can learn more in our follow-up article here about how a border officer will know if a traveler actually meets COVID entry rules and what roles GCCN Trust Registry Network is playing in the complete end-to-end verification process.
We completed the PoC of GCCN Trust Registry Network in March 2022. You can check the release here and reach out to us at firstname.lastname@example.org if you have any questions.