Vision: A Critique of Immunity Passports and W3C Decentralized Identifiers

Due to the widespread COVID-19 pandemic, there has been a push for `immunity passports' and even technical proposals. Although the debate about the medical and ethical problems of immunity passports has been widespread, there has been less inspection of the technical foundations of immunity passport schemes. These schemes are envisaged to be used for sharing COVID-19 test and vaccination results in general. The most prominent immunity passport schemes have involved a stack of little-known standards, such as Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) from the World Wide Web Consortium (W3C). Our analysis shows that this group of technical identity standards are based on under-specified and often non-standardized documents that have substantial security and privacy issues, due in part to the questionable use of blockchain technology. One concrete proposal for immunity passports is even susceptible to dictionary attacks. The use of `cryptography theater' in efforts like immunity passports, where cryptography is used to allay the privacy concerns of users, should be discouraged in standardization. Deployment of these W3C standards for `self-sovereign identity' in use-cases like immunity passports could just as well lead to a dangerous form identity totalitarianism.

[1]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[2]  Michael B. Jones,et al.  JSON Web Token (JWT) , 2015, RFC.

[3]  Huajun Chen,et al.  The Semantic Web , 2011, Lecture Notes in Computer Science.

[4]  Tim Berners-Lee,et al.  A Demonstration of the Solid Platform for Social Web Applications , 2016, WWW.

[5]  N. Kofler,et al.  Ten reasons why immunity passports are a bad idea , 2020, Nature.

[6]  Agam Bansal,et al.  Optimizing the Implementation of COVID-19 “Immunity Certificates” Using Blockchain , 2020, Journal of Medical Systems.

[7]  Jeremy J. Carroll,et al.  Signing RDF Graphs , 2003, SEMWEB.

[8]  Joaquim Ferreira,et al.  Self-Sovereign Identity: Use-cases, Technologies, and Challenges for Industrial IoT , 2019, 2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA).

[9]  Ourania I. Markaki,et al.  Decentralised Qualifications' Verification and Management for Learner Empowerment, Education Reengineering and Public Sector Transformation: The QualiChain project , 2020 .

[10]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[11]  Karthikeyan Bhargavan,et al.  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[12]  Dan Brickley,et al.  Resource Description Framework (RDF) Model and Syntax Specification , 2002 .

[13]  D. Kaminer Discrimination Against Employees Without COVID-19 Antibodies , 2020 .

[14]  John Domingue,et al.  COVID-19 Antibody Test Certification: There's an app for that , 2020, ArXiv.

[15]  Fabien A. P. Petitcolas,et al.  A First Look at Identity Management Schemes on the Blockchain , 2018, IEEE Security & Privacy.

[16]  Carmela Troncoso,et al.  ClaimChain: Improving the Security and Privacy of In-band Key Distribution for Messaging , 2017, WPES@CCS.

[17]  Dieter Fensel,et al.  Semantic business process management: a vision towards using semantic Web services for business process management , 2005, IEEE International Conference on e-Business Engineering (ICEBE'05).

[18]  Kenneth G. Paterson,et al.  One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography , 2013, NDSS.

[19]  D. Larremore,et al.  Implications of test characteristics and population seroprevalence on ‘immune passport’ strategies , 2020, Clinical infectious diseases : an official publication of the Infectious Diseases Society of America.

[20]  Arthur Gervais,et al.  Do you Need a Blockchain? , 2018, 2018 Crypto Valley Conference on Blockchain Technology (CVCBT).

[21]  Harry Halpin Decentralizing the Social Web - Can Blockchains Solve Ten Years of Standardization Failure of the Social Web? , 2018, INSCI Workshops.

[22]  Matthew Green,et al.  Decentralized Anonymous Credentials , 2014, NDSS.

[23]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[24]  Jan Camenisch,et al.  A Framework for Practical Universally Composable Zero-Knowledge Protocols , 2011, IACR Cryptol. ePrint Arch..

[25]  Harry Halpin,et al.  The Crisis of Standardizing DRM: The Case of W3C Encrypted Media Extensions , 2017, SPACE.

[26]  Yun Peng,et al.  On Homeland Security and the Semantic Web: A Provenance and Trust Aware Inference Framework , 2005, AAAI Spring Symposium: AI Technologies for Homeland Security.

[27]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[28]  Steven Foster,et al.  The Augmented Social Network: Building identity and trust into the next-generation Internet , 2003, First Monday.

[29]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[30]  Rachel Arnold,et al.  Zero-Knowledge Proofs Do Not Solve the Privacy-Trust Problem of Attribute-Based Credentials: What if Alice Is Evil? , 2019, IEEE Communications Standards Magazine.

[31]  Sven Groppe,et al.  Data Management and Query Processing in Semantic Web Databases , 2011 .

[32]  Carmela Troncoso,et al.  Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments , 2017, Proc. Priv. Enhancing Technol..

[33]  Harry Halpin,et al.  Semantic Insecurity: Security and the Semantic Web , 2017, IWSW.

[34]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[35]  David Butler,et al.  SecureABC: Secure AntiBody Certificates for COVID-19 , 2020, ArXiv.