Paul Grehan - Australia

Chatchai - Thailand

Ivan Herman, W3C, connecting from France

Marie Wallace - Ireland

Zhaoji Lin，China

Hamid From Afghanistan

Eng. Daniel Bundi Kotonya, from Nairobi, Kenya 🇰🇪

Daniel Bachenheimer - USA

Vanja Pajić, Croatia

Dr Inaam ul haq World Bank Tanzania but connection from Pakistan

I'm Geethan Samarawickrama connecting from Sri Lanka

Tony Holmes UK

Vasily Dolmatov - Russian Federation

Craig Gibson - Trend Micro - Canada

Hi everyone. I'm Thomas Fogwill from South Africa

Daidi Zhong from China

Mr Adama KANE from Senegal

Xiaomi An from China

etaf palestaine

Tong Wu - China Telecom

Hi everyone, my name is Joe Amlung, and I am a Business Analyst from USA, working on terminology and the Open Concept Lab.

Hello My name is Chinsammy Christmah from Guyana

Markus Maaß, Germany

Chatchai from Thailand

Mukhtar Mahamed - from Somalia

Christophe Blanchi - Switzerland

Erik Andersen, Denmark

Sanghwan Park of KISA in Korea

Jet Tsao from Taiwan

Hello everyone, this is Keundug Park from Korea.

Hello everyone. My name is Nargis Maqsudova. GFF Tajikistan.

Good morning from Argentina. I’m Lia Molinari, professor at National university of La Plata, Argentina. I’m Vicechairman of SG17 (cyebersecurity) and vicechaiman of WP3, Cybersecurity and management

Haydee Serona from the Philippines. Good evening from Manila!

Manuchehr A. TEC-19 WB, Tajikistan

Ziqin Sang, China Information Communication Technologies Group, China

Joseph Wu from Malawi🇲🇼

Hi all, Jonathan Payne from US

Tamara Sznaidleder fro Israel

Giovanni CAMBRONERO, IT and Cybersecurity Leader at ANCE MEXICO

Raphael Mahinya from Tanzania

Hello from Heng QIAN, China

Suhrob, Tajikistan, WB TEC-19 project

Good afternoon, Abdulakhad Safarov, NPO, WHO CO in Tajikistan

Eliot Choi working for Raonsecure from Korea

CEO of NaiTech, owners of ImmuniCard and CovIDent. Kenya 🇰🇪

Welcome to the ITU/WHO Workshop on "Digital Vaccination Certificate": https://www.itu.int/en/ITU-T/Workshops-and-Seminars/2021/0811/Pages/default.aspx

James McDonald - UK - from World Travel & Tourism Council [WTTC]

yes. I am not using a background. I’m lucky my little apartment has a good zoom look with the bookshelf.

Hello everyone … Tracy Hackshaw from Trinidad and Tobago. Connect with me on LinkedIn at https://linkedin.com/in/tracyhackshaw Twitter at https://twitter.com/thackshaw Instagram at https://instagram.com/tracyhackshaw

Link to the program line up:https://www.itu.int/en/ITU-T/Workshops-and-Seminars/2021/0811/Pages/Programme.aspx

Good day and warm compliments to all participants.My names are Adetunji Basorun from Nigeria.I am as pleased to be part of this event as well wish everyone participating a very fruitful set of deliberations.

Hello to everyone. I'm Herbert Bertine, former chairman of ITU SG17.

Hi. everyone, I'm Heung-Ryong OH from Korea.

👍

@ Abbie: Can you please indicate here the order of panellists for your session.. . thank you

hi good day my name is qais azad from Afghanistan

Panel #2 - Craig Gibson, Gautam Hazari, SangHwan Park, Ramesh Kesunapalli

True. If the certificate ms aren't standardized, it creates anarchy and loopholes for forgeries and abuse, which is not good.

@ Craig: thank you. well noted.

Hello to everyone, I am Hideki Yamamoto, vice-chairman of ITU-T SG16.

THANK YOU, GREAT WORK.

Link to the FHIR Implementation Guide: https://worldhealthorganization.github.io/ddcc/

Hi … will the slide deck be available afterwards?

the link is the GitHub repository… is it ok?

All presentation materials will be made available on the event webpage here: https://www.itu.int/en/ITU-T/Workshops-and-Seminars/2021/0811/Pages/Programme.aspx

Thanks @Gifty

great, thank you

Please use the Q&A icon at the bottom of your screens for all questions to the panellists, stating first the name of the panellist to whom the question is addressed. thank you.

wouldn't it be the case QR would be required even with verifiable credential as a presentation medium to trigger credential sharing?

That’s good points!

Not necessarily. Communicating data via a QR Code is only one way to exchange data

not all QR Codes are the same. When presenting your verifiable credential “as” a QR code it is copiable by anyone and can be replayed.

You can exchange data between mobile devices through multiple protocols

With verifiable presentations - only the individual who holds the credential can generate that - and it can’t be replayed.

Totally agreed

ok. it make sense that way, user generated and can't be replayed.👍

THX Daniel!

I shared the blueprint with the W3C Credentials Community Group last week - it will be live online on ToIP sites and other places in the coming days as Dan said - please don’t circulate via social media etc yet. https://lists.w3.org/Archives/Public/public-credentials/2021Aug/att-0023/GHP_Interoperability_Blueprint_V1.0.0.pdf

@Daniel, good presentation, but to be able to actively include Africa and most third world countries, this approach must be expanded or twitched alot to be effective and less isolating. I would give a case study of how this can be handled better meet specific infrastructural gaps in the regions.

but so far, great insights presented there. Thanks Daniel.

@Daniel Bundi - thank you; we agree that inclusivity is key and whatever solution must be adaptable to the reqion (tech and policy)… paper is one option, custodial wallets another, and there are others

True.

been working on a hybrid local solution that can be scaled and integrated. can be shared after the session.

At Linux Foundation Public Health, we are working with the community to produce tech specs and open source codebases that can support jurisdictions to adopt the GHP recommendations. @Daniel Bundi, would love to speak and see how we can support the efforts in Africa.

@ Craig: I guess you will be moderating session 2 as there is still no sign of Nicole..

Thanks a lot, Marie, for good presentation.

Thanks @keundug :)

+10 - thank you!

true

Excellent presentation Marie. Very clear description of the scope of the problems and challenges that need to be addressed to establish trust in any COVID certificate.

The Schema Task Force @ Covid Credentials Initiative (CCI) has an ongoing and open working draft for Overlays Capture Architecture (OCA) data capture specification for “Good Health Pass”-compliant credentials (vax/testing/recovery) and pass. Feel free to contact me directly for more information.

Thanks @christophe, it can seem a bit overwhelming at times.

I have difficulties understanding the speaker...

Cannot hear the speaker

Abbie, we can not hear you.

Hi @Kaliya can you post the links from your last slide (subscription email, links to docs etc) here in this chat?

Subscribe to the mailing list to: gccn+subscribe@lists.lfph.io

Kaliya Young: kaliyay.cci@lfph.io

Twitter handle @IdentityWoman

Defining the GCCN Trust Registry Network Discussion, Definition and Elaboration https://docs.google.com/document/d/1vz9cK_m5YKyoRY8DhBHLoyACP3Vfx2uFqFiVHxWOH3Q/edit#heading=h.hjaz4ngjqopx

Global COVID Certificate Network (GCCN)Trust Registry Network Implementers Meeting Pagehttps://docs.google.com/document/d/1_NbYlVFOLaHmCFgSd7XSCN9OjTLiCc4gJ0PCpTNhMLs/edit

CCI Schema Task Force Meeting Page - https://docs.google.com/document/d/1jAFXY_UGBg4X34hHGSWJNKFVT_6znf006S1kIdrX3PY/edit

Thanks @kaliya!

Information on how to join/get involved with CCI - https://www.covidcreds.org/#Join

The "get healthcare without providing identity" notion presents non-trivial patient safety and quality of care challenges.

;'

thank you ☺️

Thanks, Dan, Marie, and Kaliya! Great stuff.

You can also reach out to my colleague Lucy Yang who is the Community Director at CCI her e-mail is lucyy.cci@lfph.io

This is one of the more frightening developments in recent times… How pervasive is it today? and what a can be done to protect - avoid the situation?

I would recommend that for anyone interested in multi-credential verification, check out the CCI working group. It's a great place to start.

https://www.lfph.io/cci/

We have a newsletter that goes out every 2 weeks that you can subscribe to here and see past issues https://us10.campaign-archive.com/home/?u=1e21ad08ed0422a5dac0b8eed&id=ebe791efe9

I am not my phone number. It can’t really work this way - because I “rent” that number it isn’t mine. Decentralized Identifiers are designed to route around the issue of how the phone system has anchored people to identifiers they don’t own but they rent.

If the phone is rent, the SIM identity solution can not be applied for this case.

Agreed with Kaliya. Also, as (I think) Marie said, the credential may have to be used in, say, a Web page, on my laptop when I check in to my flight. I may not want to do that on my phone…

I support Ivan Herman

In many contexts, phones (and sims) are shared by multiple users and/or there is a lot of "churn" as sims are changed frequently. This will also require a strong binding somewhere between sim and person identity, which can be a weakness and raise privacy concerns.

@Kaliaya thanks for raising the interesting point. The phone number is not really my Identity - it is an alias/Identifier to my Identity - and I own my Identity. The alias (phone number) is portable and I can take it along when I move to any other provider.

small kids hasnt smart phones ...

but they tavel too

SIM/eSIM has its outstanding advantages.

The SIM can be seen as a secure element - with protection using business processes,

@gautam - if I stop paying my phone bill I loose access to the number and after a certain period someone else will get it. It is not a good identifier and it is also persistent across contexts - this creates the possibility of linkability.

The most advanced VCs are using Link secrets to connect credentials for an individual - https://www.evernym.com/blog/how-does-a-verifier-know-the-credential-is-yours/

Africa has over 1billion people, with over 50 countries with porous boarders.... and an extremely variant penetration of smartphones and ICT infrastructure.... this is the real elephant in the room!

@kaliya, to be fair, I am not sure the phone numbers are reused even if I stop using it

@ivan in my country that is the case.

Oops… I did not know. AFAIK, that is not the case here...

Anyway, another issue if one changes countries, ie, operators and, certainly, phone numbers

There are several different flavors of verifiable credentials. I wrote a paper about them that hopefully can be helpful in discerning this technology - https://www.lfph.io/2021/02/11/cci-verifiable-credentials-flavors-and-interoperability-paper/

@ivan, in kenya, phone numbers are reused and reallocate to different users if not used in like 3 months. that's partly why not even trucaller is accurate here. let alone using phone numbers as identifiers

@Daniel, I understand; I must admit I did not realize that would be the case.

It is a shame…

if we have the next session, I would be glad to give a case study of the African realities, which I think is largely overlooked.

I think by humanizing Gautam meant phone numbers are layman friendly and hence to use them for the interaction between the human and the wallet. From wallet to the external world DIDs can take over with all their privacy preserving and security benefits

The phone number may be reused by other person. But we still have solution to protect the previous users' VC and allow the new user to bind the phone number with his/her VC

we have foolproof solutions that I would wish could be comsidered across

@Kaliya, you are right - it is a user’s choice, I can decide not to be with a mobile service provider and can still take my phone number with me as an identifier to another provider. My Identity is separated out from the aliases/identifiers - the association can be plural and I can always associate or disassociate one or more of the aliases from the Identity as a user’s choice

another idea: SIM/eSIM is used as a carrier of VC which is no need to bind the VC with the phone number

That may be a good method: the secure element holding key material is important, but I see the phone number as a kind of “Username” in a way

@Geethan, thanks for that. Yes - that’s exactly what it is, phone number is a human friendly Identifier - which can be used an alias towards the VC/DID or to the real Identity and this association is user driven

@Craig Gibson yes

@Craig - I agree, the phone number is the alias/Identifier and not the Identity and yes it is public/not-a-secret - so is equivalent to userid

please use the Q&A icon at the bottom of your screens for all questions addressed to the panellists. Please state the name of the panellist to whom the question is intended

The model Ramesh is putting forward is highly centralized if you are keen on engaging with folks working on governance in decentralized systems I invite you to look more closely at the work of Trust over IP Foundation https://trustoverip.org/

how about the infringement of the human rights because of covid vaccine circumstance? covid vaccine is effective but we need to consider more about human rights. is there somebody to explain more?

Given we may have centralized and decentralized models (see exchange just above), are there recommendations on what to choose and in which environments ? thanks.

In that case, shall FHIR/HL7 standards catering for the standaized vaccination messages?

Craig is talking about a very serious problem. Overlays Capture Architecture (OCA) is a truly interoperable solution for semantic harmonization. https://humancolossus.foundation/blog/cjzegoi58xgpfzwxyrqlroy48dihwz

+1 to what Paul just shared.

@panellists: would be good if you could all switch on your camera at this stage

to complement what Ivan is sharing - I wrote a paper about the various flavors of verifiable credentials - https://www.lfph.io/2021/02/11/cci-verifiable-credentials-flavors-and-interoperability-paper/

is there presentation? can'ts see it sorry.

same here, can't see the slides

No, Ms Xu is not using slides..

ah. I see. thanks.

Yes

Good

we do not hear clearly

Your audio is unstable.

It is not a matter of being close to the mike, the sound is muffled...

it is like talking under water...

a bit floating to surface now. it's ok. kkk

for interoperability to make sense, a level of standardization of key factors of verification is a necessary

we can do it right or right now... tough to do both

we need to do it right with or without COVID

Giving raw QR codes creates real risk to people. It could accelerate identity theft for people. So this also needs to be considered.

agree - we need something for now (band-aid) and something more enduring

exactly!

Agree

True 👍

best scenario, all governmantal authorities take responsibility of the confidentiality and protection of individual certificate. and allow verification to be done accros authority borders - with easiest and affordable way, taking into consideration of the context.

But it is a pity not to leverage the full potential and benefit of the digital identity infrastructure those countries advanced in vaccination, who happen to be countries also advanced in digital transformation.

existing paper based certificate can be used, but easy to be forged, given the current situation of the inequity in access to vaccine.

The vaccination certificate is sort of medical record including sensitive personal data. It is very risky to present the vaccination certificate as QR code.

We need to standardize the service model using decentralized identity, to identify security threats, and to specify security requirements against the identified security threats. ITU-T SG17 will be leader group on that.

The Overlays Capture Architecture (OCA) is a truly interoperable solution for semantic harmonization. https://humancolossus.foundation/blog/cjzegoi58xgpfzwxyrqlroy48dihwz

we at CCI are working with projects and countries around the world

Agree to Mr. Park. ITU and other IT SDOs we already developed standards for security of ICT

To implement these standards, it will be a long and incremental process.

COVID DVC is a good opportunity to leverage the existing and future IT security technologies.

here is the JIC landing page: http://www.jointinitiativecouncil.org/

A roadmap for all the existing work from different SDO's is important for interoperability.

and i'm embarrassed to have omitted DICOM (the digital imaging SDO) in my comments

Yes the PHA should have that data about you. However should the PHA be “pinged” and notified every time you share your vaccine certificate with someone - as is the current design that the WHO has proposed?

Agree with centered registration for vocabulary for semantic interoperablity.

Thanks for the great answer and mapped the clear way forward from the panelists. it's helpful for our system development.

The gap that has just been highlighted is similar to how Roaming works - cross federated global SLA

There is a fundamental mis-understanding about how different systems we are talking about work. Some are decentralized - where the verification happens at the edge - others are designed to ping back to the source - this creates a massive privacy problem so the source knows all the places someone uses the credential.

THANK YOU ALL FOR VERY USEFUL PRESENTATIONS.

Excellent! thank you for a vey interesting activity!

I can not see the shared screen.

OK

Nice Summary!

@Kaliya - the WHO DDCC specification is not prescriptive regarding how a member state will implement their vaccine status certificates. The DDCC specification describes how a member state could generate and cryptographically sign a normative, coded, core DDCC:VS data set. What happens downstream of this is up to the member state, based on their context.

Figure 8 puts forward a flow where the PHA is pinged when a person presents their certificate. So it looks like you are endorsing that kind of flow that raises for me a privacy concern.

@Derek Ritz, I looked at the draff of WHO DDCC:VS, really impressive. Congratulations. Looking forward to its publication.

Suggestion to add to “Session 2 summary”ITU should develop the digital vaccination certificate standard and guideline taking the security, trust assurance level, interoperability issues including trust anchor operation into account.

@Xiaoya Yang -- thank you, I will share your kind words with the DDCC team. :-) @Kaliya -- processes that MAY happen are not to be conflated with processes that SHALL happen. As I said, the specification is not prescriptive downstream of the generation of the signed normative FHIR document.

@Derek - the fact it is even optionally put forward as a potential flow is giving states bad design ideas. People should not have all the places they share a vaccine certificate tracked by the issuing state authority.

Dear @ITU & @WHO, thank you for today. Very informative. I would welcome an opportunity discuss further with you how the DDCC:VS may be implemented within international travel. There are specific complexities with this use case, that I would be keen to share with you, so that we can all achieve a seamless, interoperable system across international borders. Many thanks. James McDonald (World Travel & Tourism Council) - james.mcdonald@wttc.org

Thanks much to the organizing team, Xiaoya, Gifty and all steering committee members, beyond to all participants. It was a rich workshop. Thanks.

thanks for the good event

thank you very much for an engaging workshop; need to drop now👏

Thank you everyone -it was a fantastic session. 👏

Thank you for the useful workshop.

thanks, all. stay safe and well, everyone.

Thank you!

Thank you!

Thank You !