ehn-dcc-development/eu-dcc-hcert-spec ehn-dcc-development/eu-dcc-hcert-spec

  • This repository has been archived on 11/Jul/2023
  • Stars
    star
    363
  • Rank 117,374 (Top 3 %)
  • Language Makefile
  • Created over 3 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ehn-dcc-development/eu-dcc-hcert-spec
github

ehn-dcc-development

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Electronic Health Certificates Specification

CC BY 4.0

Electronic Health Certificates

IMPORTANT NOTICE

As of July 1st 2023 the EU DCC project has been handed over to the WHO. The project has therefore been frozen. This repository will be placed into archival mode and will remain available for the foreseeable future, however it will no longer be actively maintained.

Introduction

This repository contains a proposal for encoding and signing the Electronic Health Certificate (HCERT), as a candidate to be adapted and adopted by eHealth authorities and other stakeholders as they see fit.

Specification

The current authoritative version is tagged as releases in this repository.

Overview

overview

Requirements and Design Principles

The following requirements and principles have been used when designing the Electronic Health Certificate (HCERT):

  1. Electronic Health Certificates shall be carried by the holder and must have the ability to be securely validated off-line (using strong and proven cryptographic primitives).

    Example: Signed data with machine readable content.

  2. Use an encoding which is as compact as practically possible whilst ensuring reliable decoding using optical means.

    Example: CBOR in combination with deflate compression and QR encoding.

  3. Use existing, proven and modern open standards, with running code available (when possible) for all common platforms and operating environments to limit implementation efforts and minimise risk of interoperability issues.

    Example: CBOR Web Tokens (CWT).

  4. When existing standards do not exist, define and test new mechanisms based on existing mechanisms and ensure running code exists.

    Example: Base45 encoding per new Internet Draft.

  5. Ensure compatibility with existing systems for optical decoding.

    Example: Base45 encoding for optical transport.

Trust model

The trust model is based on the ICAO Master List concept with some minor modifications to improve performance and compatibility. At the center of the model is the DGC Gateway and the associated certificate governance. The gateway operates in a B2B model with onboarded countries. Member States are then responsible for publishing their own trust lists publicly on their own national backends.

At its core the trust model consists of a simple, one layer deep list of Country Signing Certificate Authorities (CSCA) that sign Document Signer Certificates (DSC). These are then used to sign the aforementioned digital health certificates (HCERT).

The trusted keys which will be used by verifiers are published in a list which includes all public keys together with issuer metadata. The keys which from time to time are used to sign the HCERTs and should be trusted are included on the Trusted List. There are no CAs or other intermediate parties involved in the validation process in the verifier. If a CSCA'ss public keys appear in the list, they are only there to facilitate the creation of the trusted list of public keys itself. They are not used during verification of an HCERT (as this is generally offline and purely based on the trusted list of that day).

Revocation is implemented via omission. The Trusted List contains all valid certificates, so revocation is achieved by removing a certificate from the Trusted List.

Known Implementations

Multiple implementations are available via the "European eHealth network - digital green development coordination" GitHub repository.

Highly simplified JSON/CBOR/COSE/Zlib/Base45 pipelines:

Base45

Qr and Aztec code have a specific, highly efficient, method for storing alphanumeric characters (MODE 2/0010). In particular compared to UTF-8 (where the first 32 characters are essentially unused; and successive non-latin characters lose an additional 128 values as the topmost bit needs to be set).

Details of this "11 bits per two characters" encoding can be found at

For this reason, the industry generally encodes these in base45. A document for this de-facto standard is in progress:

Questions?

See our FAQ for answers to commonly asked questions.

Contributions

Contributions are very welcome - please generate a pull request or create an issue.

This work is licensed under a Creative Commons Attribution 4.0 International License.

CC BY 4.0

More Repositories

1

eu-dcc-schema

Schema for the ehn DCC payload
Makefile
165
star
2

ehn-sign-verify-python-trivial

Extremely minimal python implementation of the eHN-S protocol.
Python
76
star
3

ehn-sign-verify-javascript-trivial

Trivial eHN-Simple implementation in plain/simplified javascript
JavaScript
32
star
4

eu-dcc-business-rules

eHealth collaboration space business rules
JetBrains MPS
30
star
5

eu-dcc-valuesets

EU eHealthNetwork value sets as referenced by the EU Digital COVID Certificate (DCC) JSON Schema
TypeScript
27
star
6

hcert-kotlin

Kotlin multiplatform implementation of the HCERT/DCC specification
Kotlin
25
star
7

hcert-dotnet

C# /.NET port of hcert-java, Gunnar Ingi Friรฐriksson
C#
15
star
8

python-hcert

Python library for Electronic Health Certificate
Python
12
star
9

base45-java

Java implementation of base45 for Qr codes
Java
10
star
10

ValidationCore

Swift implementation of the validation chain
Swift
9
star
11

hcert-app-swift

Verification app in Swift for iOS
Swift
7
star
12

hcert-app-kotlin

Verification App in Android/Kotlin
Kotlin
7
star
13

x509-resign

Utility to resign an existing x509 certificate 'as is' -- keeping as much of the metadata and X509v3 extensions the same. But change the Authority/Subject key identifiers, swap out the public key and resign. Useful for making test sets based on 'real' certificates taken from the wild.
C
7
star
14

hcert-testdata

Electronic Health Certificates prototype
Python
6
star
15

base45-swift

Swift
6
star
16

base45-ansi-C

Base45 implementation in ANSI-C
C
6
star
17

base45-cs

Base45 encoding/decoding implemented in C# (.net 5)
C#
5
star
18

hcert-service-kotlin

Spring Boot Service in Kotlin
Kotlin
3
star
19

masterlist-cert-generator

Generate synthetic master-list; and JSON file with KIDs and raw coordinates.
Shell
3
star
20

hcert-java

Java version of the protocol
Java
3
star
21

eu-dcc-business-rules-analysis

Analysis of business rules uploaded to the EU DCC Gateway.
HTML
2
star
22

hcert-swift

HCert HC1 base45, Zlib, Cose, CBOR trivial 'library' with pem and json trust lists.
Swift
2
star
23

icao-ml-tools

Python
2
star
24

hcert-schema

Electronic Health Certificates Payload Schema
2
star
25

eu-dcc-site

JavaScript
1
star
26

hcert-trust

Electronic Health Certificates Trust Exchange
1
star
27

eu-dcc-overview

Overview of the DCC, start here :-)
1
star