Towards a global standardization of digital vaccine certificate?
On August 11, the World Health Organization (WHO) and the International Telecommunication Union (ITU), an international organization designated by the United Nations in charge of the telecommunications sector, co-hosted the ‘ITU/WHO Workshop on Digital Vaccination Certificate’ to discuss the international standardization of digital vaccine certificates.
About 260 ICT and data protection experts from major international organizations and private companies such as the Institute of Electrical and Electronics Engineers (IEEE), the World Wide Web Consortium (W3C), and the Global System for Mobile Communications (GSMA) participated in the digital vaccination certificate workshop to discuss international standardization at the U.N. level. The workshop was divided into three sessions: (1) the first session aimed at introducing vaccination certificate use cases and technical framework; (2) the second one provided some insights on policy and governance aspects; (3) the third one dealt with the development direction of standardization through a panel.
In the first session, speakers introduced various use cases reflecting the use of digital vaccination certificate in different countries. In this regard, a representative from the Korea Disease Control and Prevention Agency (KDCA) introduced a Korean COVID-19 mobile vaccination certificate service based on blockchain and W3C-Decentralized Identifier (DID) technology. The related app has already been downloaded 4.57 million times and 14.75 million credentials have been issued, reflecting the growing adoption of DID-based digital vaccination certificates in Korea. In this session, a technical framework developed by the WHO has also been introduced by a WHO representative. In this presentation, the speaker presented the ‘WHO Technical Specifications and Implementation Guidance on Digital Documentation of COVID-19 Certificates: Vaccine Status (DDCC)’, which is a technical specification and implementation guidance at a global level that sets the foundation for supporting an internationally recognized patient summary that is held by an individual. While presenting the DDCC, the speaker emphasized on the fact that DDCC Specification support paper first as most of global population do not have smartphone.
In this first session, there was also a presentation of the Good Health Pass (GHP), which is an open, inclusive, cross-sector initiative. In particular, the GHP has recently released a blueprint with the aim of enhancing interoperability between digital health pass initiatives. A comparison between QR code-based health passes and Verifiable Credential (VC)-based health passes was also introduced, to emphasize on the risk of binding digital health certificates with generic QR code that does not provide privacy or security. A representative from Linux Foundation Public Health provided further insights on how to enhance interoperability between health certificates. While mentioning that interoperability will require semantic alignment and harmonization, the presenter introduced decentralized semantics that leverage the Overlay Capture Architecture (OCA). She added that decentralized trust should be built through a framework that enables verifiers from one ecosystem to make a decision about whether or not to accept a certificate signed by another ecosystem. In this regard, the global COVID Certificate Network (GCCN), which is a decentralized key management and interoperable trust registry protocol fostered by the LFPH, was also introduced.
The second session addressed policy and governance aspects related to making a digital certificate service unified ensuring interoperability between various service domains. In this regard, a Korea Internet & Security Agency (KISA) representative provided insights on the current status of the digital vaccine certificate in Korea by reintroducing the DID-based service from the KDCA while explaining that private companies such as RaonSecure are also developing DID-based digital vaccine certificates. He concluded his presentation by providing insightful recommendations to broaden the use of digital vaccination certificates globally. In particular, he recommended to focus on three aspects: security, trustworthiness and interoperability. Following this presentation, Ramesh Kesanupalli, the CEO of Digital Trust Networks, introduced ADI Association (ADIA), a nonprofit organization dedicated to advancing an open framework for digital identity focused on accountability, privacy, and interoperability. In his presentation, he introduced the ADIA ecosystem that lies on a new concept called Interchange, a mechanism facilitating interoperability between stakeholders of the identity industry. Ramesh mentioned that further details can be found in the technical specification that ADIA has just released.
The third session was organized under the form of a panel between academics and international organizations, and it focused on the future directions for standardization activities. The participants of the panel recognized that COVID19’s digital vaccine certificate can be seen as an opportunity to leverage the existing and future IT security technologies. They also agreed on that digital COVID certificates should be operated in an interoperable manner across countries. In particular, digital vaccine certificates should be designed using both existing technologies such as PKI (public-key infrastructure) defined in ITU-T X.509 standard and emerging technologies such as DID. It has also been agreed that global organizations such as ITU, WHO, ISO/IEC, W3C, IEEE, etc. should play a significant role for creating standards and specs for interoperability of digital vaccine certificates as interoperability should be reached through standardization and technical specification.
Following the workshop, ITU mentioned that it will strive to further collaborate with WHO, W3C, GSMA, LF and other organizations for building a harmonized ecosystem supported by a core system of technical standards. While working on common and expandable credential with enhanced security, ITU mentioned that it will work on Decentralized Identity to enable designing systems that can provide trust and interoperability.
Our view: the ITU/WHO workshop was a great webinar as it provided insights from a variety of experts in the identity space. During the event, DID and VC have been quoted by a number of speakers. In other words, the technology seems to be well acknowledged in the industry, including by WHO. In this regard, participants acknowledged the need to standardize the service model using decentralized identity, to identify security threats, and to specify security requirements against the identified security threats. The ITU-T’s Information Protection Research Group (SG17) will be working on that, which proves how serious DID technology is being considered by global organizations. Eventually, it seems that there is a general agreement on the importance of harmonizing semantics, data, vocabulary. In particular, participants of the webinar recognized that common understanding of rules for data interoperability and rules on common identity metadata should be reached to enable interoperability.
