admin-ch / covidcertificate-documents Goto Github PK

👋, is there a consolidated Installation and configuration document for the complete setup?

In the presentation from the 20th of may you introduced the OTP object such as:

However in the in the presentation from the 20th of may the OTP seems to be the same as a JSON Web Token with the validity of 12hrs:

It seems that there is some kind of inconsistency regarding the term otp within the presentation and documentation. From my understanding a one time password can only be used once whilst a JWT can be used until it expires (as long as it is valid). Are you able to clearify your terminology?

Hello

I am in my third Year as an apperntice to become an application Developer. I just implanted an nfc chip in my Hand and it would be really nice if I could save my covid certificate on my implant. And to read it form there so i dont have to take out my phone everytime i need to show it. Since most of the Smartphones today have the Functionality to read NFC Tags it should not be a problem to implement a Function that does exactly that on the Covid verifier App. Let me know what you think about the idea. If you think this idea is cool I will try to build a prototype with the API and send it to you for Evaluation.

I understand it will be used to cross country borders inside EU. What are the other use cases?

Who can verify a code?
Why not everyone can verify a code?

Sprechende schalten Mikrofon ein -> les personnes qui veulent parler allument leur microphone

Nichtsprechende schalten Videokamera und Mikrofon aus -> les personnes qui ne veulent pas parler éteignent leur caméra et leur microphone

haut-parleurs= enceintes ->Lautsprecher

What are the arguments to not use the yellow paper based International Certficate of Vaccination?

I just got a new one for 1.35 CHF and it's bug free.

WHO is also working on a digital version of this certificate https://www.who.int/ihr/ports_airports/icvp/en/

Their is a working group: https://www.who.int/groups/smart-vaccination-certificate-working-group

Why Swiss need their own version? Is is different from the WHO digital one? What are the specific features?

Their is a similar question in the EU parliament: https://www.europarl.europa.eu/doceo/document/P-9-2021-001802_EN.html

More generally about a digital passport, Mozilla nail it: "The question we need to ask ourselves is “is this vaccine passport system going to be empowering, or exclusionary?" https://foundation.mozilla.org/en/blog/digital-covid-vaccine-passports-five-key-takeaways/ . At a global scale, a digital only solution will definitely be exclusionary.

Hello,
how is the status of the requirement of the OTP?
I saw in the latest presentation (20210826_CovidZertifikat_Presentation_System_Integration.pdf) that the api call should work without otp.

Please correct the software for light certificate and do it finctionnal.

In the documentation you write that you will add support for copy/paste of data between application. Copy/paste is not a safe method of exchanging data, is there any sensitive data that will be exchanged this way ? In that case, is there any method to make it secure ?

The transformation service gets the light certificate from some API. (.../api/v1/certificate-light/generate/)

However, I wasn't able to find the implementation of this API. Can you please add the source code and documentation for this?

Also, the API used by the mobile apps is not documented.

Hi,

I am trying to load an EU certificate in the Covid Cert app, as I have been vaccinated abroad but am a resident of Switzerland. My understanding is that the EU and Swiss certs should be interoperable. However, even though in Covid Cert I see all the vaccine data being read from the QR, the signature is marked as invalid.
Is this because the EU verification is not yet in place from a technical perspective or is there some legislation issue that prevents it from being accepted?
Or, is it the case that the EU QR will never be approved in Covid Cert/Covid Check? Which would be a worst case scenario considering that event entrance is strictly based on the Swiss Covid Cert.

Thanks.

Especially older people who have devices with KaiOS or other operating systems without Android are not able to use the Covid Certificate app.

Carrying the A4 page around is also not up-to-date and suboptimal. Is it legally permissible to cut out the QR codes and stick them on the back of a Cumulus card (or bank card), for example?

To me, that would have been a perfect fit for such cases as certificates.

Verhindert wird dies (Fälschung) jedoch mit einer kryptografischen Signierung durch eine vom Bund autorisierte Person, sei dies eine Ärztin, ein Apotheker oder jemand im Impfzentrum.

Any random medical health person is safer than a public blockchain? From a technological standpoint, that sounds pretty weird.

Hello everyone, I wanted to ask in the round if someone had a similar situation and can possibly point us to a contact point, how we should proceed.

1. in our company we had a Covid-Master, who was equipped with all authorization from the BAG/BIT. However, it is now the case that this person is no longer working for us. Yet, according to BAG/BIT, this is the only person who can request a long-term OTP. The process for replacing this position does not seem to be defined. We are referred from one phone number to the next without really getting any help.

2. currently our long term OTP has expired. Unfortunately, we did not receive any reminder email regarding this. Due to the described situation (point 1), we are going through the same vicious circle again. Thus, we currently can not request certificates!!!

What we tried so far:

• Mail sent with all contacts with whom we had something to do so far.
• Contacted by telephone the BAG & BIT, respectively on Zurich and on Berne.

We are grateful for any tip / help.

Please add language switch support. I am in denmark currently and they would accept it if you show the certificate on you phone, but they don't speak german an there is no option to switch the language. So I still need printed english version.

The possibility of public test was announced on https://www.ncsc.admin.ch/ncsc/en/home/dokumentation/covid-certificate-pst/infos.html

Yet I didn't find the amount of the bug bounty program. Sure you do not think dev should just work for free?

How do you handle requests from a person in a short time from diffrent locations.
By example:
Max Muster shows his phone at the airport in Zürich, 5 minutes later there is a request from Moskau airport also from Max Muster.
This should not be possibel and there needs to be a way to weed out this kind of abuse.

There is a flaw in the concept of the cert app. Showing the certificate over the app allows to read out personal information.

1. Person A install the "COVID Certificate APP" on his phone
2. Person A scans the QR code to store the certificate on his phone
3. Person B pretends to use the "COVID Certificate Check APP" and scans the code displayed on Persons A phone

If the Person B uses the "COVID Certificate APP" instead of the "COVID Certificate Check APP", he is able to scan and permantely store the full name and birth date of the person, which would be an unwanted disclosure of personal information

To overcome this security issue, the certificate QR code should only contain some anonymous information stored on the "Swiss identity card" (e.g. the serial number) to verify if the certificate and identity card match.