HealthCerts — Part 1

If you are evaluating digital solutions for Covid-19 test results, vaccination certificates and passports, here’s what you should know.


Much ink has been spilled about vaccination certificates and vaccination passports on the web but details of implementation have often been glossed over.

Let’s dive in to separate the wheat from the chaff, amid all the hullabaloo.

Vaccination Status vs Vaccination Certificate

If I am an officer trying to check your vaccination records, here are two methods for me to verify. You can either show me your vaccination status or send me your vaccination certificate.

You log in to your mobile app. With your unique identifier, the app fetches your vaccination status from a trusted database and displays it on your mobile device.

You then show me your screen to visually inspect your vaccination status, but this screen can hardly be differentiated from an edited screenshot or a spoofing app. As a result, there is too much of such (not so new) news.

This method is often marketed as digital passport. But not all that glitters is gold.

With this method, your certificate exists in a form of a digital document that you chose to store somewhere — the hard drive of your PC, mobile devices or cloud storage.

You can choose to send this certificate to me via WhatsApp, Telegram, Email, Dropbox or in a thumb drive carried by a pig🐦on, etc…

Upon receiving your certificate, I will then go through the verification process to (a) verify the authenticity of the certificate, (b) ascertain its provenance and (c) trust that the certificate is not revoked — more on this later…

The key difference between the two methods is the location of verification.

  • In method 1, I will need to believe whatever you are showing me on your device, which also means you need to be physically present.
  • In method 2, the verification process is performed on my trusty device and not a visual inspection of your glittering screen.

Vaccination Passport vs Vaccination Certificate

There are some digital health passports that merely display vaccination status (method 1), some that store and send vaccination certificates (method 2) and few that can do both. Let’s compare them.

In this method, the digital passport is a mobile app that seeks to be the certificate or at least pretends to be one. 😏

Even though this “Show your status” method has obvious flaws as mentioned in previous section, this method bestows great power on the solution provider as the key arbiter of trust for safe travel.

With a stronger position to monetise from the network effect between issuers and verifiers, solution providers are commercially incentivised to provide solutions with method 1 than 2.

The history of fake passports is as old as some countries because controlling the movement of people has always been, and will continue to be a lucrative business.

In this method, a digital health passport is a mobile app to store, view and share vaccination certificates. It does not seek to supplant the digital certificate but to complement it.

The key purpose of this mobile app is to improve the user experience of handling digital documents, akin to a file explorer/manager.

In both methods, the digital health passport should also provide strong identity assurance to prevent impersonation — that the owner of the certificate is indeed the owner of the app.

In addition, digital health passports can provide convenience to the traveller by providing information of authorised clinics/laboratories, flight info, travel requirements of countries, etc… at the right place and the right time.

Verification Process

Method 1 expects me to trust the screen and needs no explanation. This section is about verifying the vaccination certificate.

Trust but verify. Or faith in disguise?

  1. I must be able to verify the authenticity of the certificate. In other words, the verification process must inform if the certificate has been tampered with.
  2. Its provenance can be ascertained so that I know if the clinic/lab is qualified and not a fly-by-night institution.
  3. And if the certificate is revoked, the verification process must inform me that it is no longer valid.

I’m not saying it’s proprietary when otherwise but it’s obviously not proprietary when any QR code reader can read it and render its content to human-readable form like this.

Scan this with any QR code reader app

However, if you need a special reader/app to render its content to human-readable form, you should ask if there are alternative readers available.

Qn: Is interoperability an incentive or a tech problem?

If you can use any email clients — gmail, outlook, hotmail — to receive and send emails to your friends, why are messages in modern messaging apps — WhatsApp, Telegram, Slack, etc — stuck in their own apps?

And if alternative commercial readers are available, make sure you are neither using a spoof app nor one that’s designed to steal (your traveller’s) data. 😏

What’s coming…

In Part 2, I’ll cover the key components of HealthCerts and how you can use it to help your country with safe travel.

If you are a medical institution looking for help to issue HealthCerts, here’s the list of HealthCerts providers.

For more information on HealthCerts, check out our developer portal.

Our team is looking for software/quality and devops engineers who are passionate about tech and want to help us build awesome digital services for Singapore! 🇸🇬

Reach me at (ゝ‿ ・)

Want to know more? Here’s how we operate and the work we do.

Cheers! 🍻😊



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Steven Koh

GDS Director@GovTech | Curious, optimistic tech junkie | Build great products, agile delivery teams and tech communities | #techforpublicgood | We’re hiring!