The Good Health Pass Interoperability Blueprint was released mid-June to help shape the development of a cohesive but decentralized method of issuing, holding, and verifying the results of a COVID status test. The Good Health Pass Collaborative (GHPC) is an open and publicly funded collaborative; it was founded by ID2020 and the working group is managed by the Trust over IP Foundation. The blueprint, which is now available for public comment, lays out the most important and intentional design choices as well as recommendations to implement an interoperable and inclusive system.

Intentional design choices

The Good Health Pass outlines their recommended architecture aspects:

  • Individuals should be in control of their data: This goes on to describe the relationship between the issuer of a credential (a test center) and the holder of a credential (the individual being tested), as well as the relationship between the holder and a verifier (entity that checks the credential before granting access to a service, such as airport staff, border control, etc.). It is explicitly stated that there is no room for a third party in these interactions – the holder should interact directly with anyone needing to issue or verify their credential. It recommends being restrictive by design with privacy by default. To enable this, the blueprint chooses to use the W3C Verifiable Credentials as a standard for interoperability, which also allows for selective disclosure of credentials.
  • Equity and Inclusion: There are concerns around tracking the health status of individuals and using it as a gatekeeper to accessing private and public services, and rightly so. When equal access to basic rights are sidelined in favor of promoting mobility, there are risks that some groups will be marginalized. It must be remembered that vaccines are not universally available. Therefore, a negative test must also suffice to allow equal access to services. Thus the name of a credentialing service is important. It should not be called a vaccine passport because it is misleading and would clearly create a barrier to services for large populations who do not have access or choose not to receive a vaccine. It is recommended to be called a “digital health pass”. Access also includes device and offline access. Although a smartphone is the preferred channel for issuing, holding, and verifying credentials, there must be an offline version for those who do not have a smartphone. QR codes on a hard copy credential can fulfill this, with multiple QR codes for different selective disclosure scenarios.
  • Decentralized for security and scalability: This blueprint argues that a decentralized approach boost security of holding and exchanging PII. This argument is made in more detail in other resources. In terms of scalability, the GHPC explains that a decentralized digital health pass could reduce stress and traffic between healthcare information systems by shifting the work of issuing and verifying credentials to other parties, but the scalability of the decentralized ecosystems is not addressed. The scalability of decentralized ecosystems is still a relatively open question, with widely varying results based on the particular public/private/consortium blockchain arrangement used.
  • Open Standards for interoperability and participation: without a doubt, open standards must be followed so that a credential issued at one test center can be accepted at any verifier. The GHPC insists on a pragmatic and phased approach to designing and implementing. While that has led to a well-thought-out blueprint, it is already late to meeting real-world needs. In many countries, the initial rollback of lockdown measures has already occurred, and the reopening of economies means that systems to prove a negative COVID status have already been implemented in a disjointed way. The solutions that are out there many times provide a verifiable certificate, but can be missing other elements such as decentralization, the ability to certify a self-test without a smartphone, or the ability to just use one app for different testing stations. Decentralized systems also face a challenge of unified communication – already a trend in regional vs. federal measures where individuals may find it difficult to find reliable information that does not conflict with other sources. However, the systems in place are less than perfect but they do function to a limited degree and may disincentivize local governments from redesigning their initiatives based on the GHPC’s recommendations.

Identity Verification as a Foundation

Among the recommendations offered by the GHPC, binding the holder's identity with their credential is important to ensure that the credential does indeed belong to the holder. This lines up with the rising use of identity verification to accompany onboarding and authentication for higher security. Offline testing and credential issuance may rely on a manual check of a photo ID, but this does not last beyond the time of verification. Binding an identity to a Verifiable Credential remains valid beyond the point of verification by being able to match a real-time biometric data point with one which was logged at the point of verification – checking that a fingerprint matches the one which was logged when the credential was issued, for example. When using decentralized architectures, identity verification can still provide high and/or selective privacy for the holder while assuring the issuer or verifier that the credential can be trusted.

While the GHCP’s blueprint is well designed and offers concrete recommendations for a functional yet privacy-centric solution with implementation recommendations for 30, 90, and 180 day intervals, it comes late in the game and may face reluctance from public players. GHCP may also have limited the potential for its own adoption by relying on a decentralized architecture only, instead of building interoperability for health passes already in circulation. However, this may be the chance that decentralized identity has needed to demonstrate its efficacy on a global level. KuppingerCole will continue researching this market segment, as it has high potential to positively disrupt digital identity management for the individual as well as for the enterprise.