Digging into Quebec's electronic proof of vaccination
mikkel.caThe underlying cryptographic technology here: "Verifiable Credentials" is quite exciting. If you have ever wondered "why aren't bureaucracies using digital signatures?" then VCs are interesting.
It's a pretty decent technical spec for signing statements like "This person has this age" or "this person is vaccinated" or "this person is authorized for this bank-account as executor of a will". It is a spec written by cryptographers and hackers.
At the same time, it is a spec being used by banks, governments, and health-care. That is, its not just a nice technical ivory tower idea, it is actually liked by people who would use it. Why do these organizations want to use this? Because, without cryptographic guarantees, your business processes involve a whole lot of bureaucracy, manual checking of data, implicit trust relations, and friction (so much friction).
That friction is part of why people would actually want to use it. Essentially, all you need to do to share required data is scan some QR codes. Another, maybe more important part, is control over your data. You determine who you show your VC. It is not needed for two organizations to have access to all of their shared data they need. They give the used the data, and the user hands it over, or he doesn't.
The general concept behind all of this is sometimes called SSI (Self Sovereign Identity).
I've worked with VCs and personally I found them unnecessarily complex and over hyped by a certain gang of people/companies. all the hyped benefits causes dependancy on being available to download contexts, access lists/blockchains of public signatures etc etc
Does that mean you prefer a different standard for "signed statements", or do you think the idea of "signed statements" is just not useful (or not useful yet).?
Thanks for the background. For fun I did a thought experiment a couple weeks ago, of designing a vaccine verification system and arrived at the same cryptographic abstractions (without JWT and JWS, but same for offline verification with public keys) and it’s good to see the design matches mine, mainly as a validation to myself that I am understanding a practical application of those crypto building blocks.
The added bonus is there’s already an open standard I can use that’s been poked at by smarter people.
Exciting!
The real interesting part here, if you want to start making this more widely available, is determining whose signatures you trust.
Self-signed statements already have some value. You can litigate those in court. But when you wanna enter e.g. the Netherlands, how are they to know which key belongs to Quebec?
Québec's government has historically been incompetent regarding anything digital (a lot of their website are still barely usable), but I want to give credit where credit is due: their vaccine appointment website as well as their proof-of-vaccination has been really well done.
Quebec government has problematic policies regarding the hiring of devs. They treat tech workers like the rest of their unionized workforce, and their wage + title depends on seniority. As a result, competent programmers avoid the provincial employer like the plague. Most IT work there is actually done by ''consultant'' firms like CGI, who deploys the devs for a 1-3 years contract. I had an interview with them, and I was told during the meeting that I was probably ''too fast for the working environment'' and was not hired. (no joke).
The culture is super weird. As an example, the focus on the french language : a dev once told me that, during a government contrat, he had to work with a french translated C++ STD library... Finally, by law, the only criteria Quebec can use to choose a external private business to complete a project is the lowest bid. They are not aiming for quality.
Finally since some people in the far regions of the province do not have access to high speed internet, phone + mail + fax is still the implicit norm to contact the government. Quebec public services does not have a strong tech culture for many reasons. We are fortunate that they did not mess up the vaccine process.
They've made a lot of efforts recently. Their new official website (quebec.ca) is clean, fast and straightforward and the new website for public healthcare (RAMQ) is nice but they still have a lot of improvements to do for administrative procedures. In february I had to renew my health insurance card: I had to call them to send me a paper form to fill and send back by post. Few weeks later they sent me a (paper) mail saying that my new card "will be coming shortly" and few days after I received my card.
I've been making my way through RAMQ's system. I actually think its deliberate to keep people from signing up. I'm a new resident of Quebec (within the last few years) and I had to prove I moved to Quebec when I first registered with RAMQ, then prove a efw years after that I still lived in Quebec. Their bar for residency is super high too - leases, property tax and utilities do not count (although they're good enough for me to pay taxes and vote here). They asked me to send bank and credit card statements to show that I'm actually making purchases in Quebec. This is an issue for me as I work and shop in Ontario as I live on the border. Apparently it's a requirement of the Canada Health Act to only buy groceries in the province you reside in.
As an immigrant from the US, I find most of Quebec's government websites to be quite good actually. But maybe that's just my low standards.
Most government or government-adjacent (sépaq, Hydro Québec) websites are pretty decent. There's a few awful exceptions like the SAAQ disabling their online services at 11pm, as if their servers need to go to bed? Or the city of Longueuil's tax portal which looks like it is from the 90s!
Hydro Québec lets me download a CSV of my energy usage for my own analytics if I want. I find that pretty neat.
Hydro-Québec is a weird (but great!) example of government intervention in utility. We get the lowest prices and the company is overall well run.
On the topic of Hydro Québec, there's just something about the scale of turning the fifth largest asteroid impact crater into a reservoir for hydroelectricity that is awe inspiring. Why don't we see those sorts of aspirational mega projects for the greater good in Canada anymore?
Yesss. I'm a huge fan of Hydro Quebec :D https://github.com/pirate/quebec-power-grid-talk
I think the stars have to be aligned for a project like that to work. You need buy-in from first-nations, a charismatic PM that won't get thorn apart for spending prodigious amount of money and general public goodwill towards the objective.
Truly is a thankless job.
I interact the most with AFE (aide financière aux études) and FRQNet (grad school scholarships). These websites look like they weren't updated since about 1999 and are really, really counter-intuitive to use. Admittedly, they're also probably not the most used websites, and not high in their priority list.
Can you still catch a bus in Montreal at 26:30h? :) Used to be able to see bus schedules online for busses STM well-passed the 24h mark. Something about the technology not being ready for late-night busses on the 'next day' being attached to 'today'? Or something.
Their immigration and SAAQ sites are what I've interacted with most recently. Both "just worked" and had reasonable UI and UX without having to disable adblockers or use IE or any nonsense like that. There are small nits occasionally, but by and large they work for their intended purposes I've found.
I believe it's more prevalent in Europe, but if your bus or train departs at 23:30, it will arrive at 24:15, not 0:15. That's deliberate.
No idea if they still do it since I haven't looked at a paper schedule in years.
Not anymore. The busses only come every 5m90s on that route.
When I visited Quebec I was actually surprised by how common it was for the government to use cryptographic signatures. For example the wingdings hieroglyphics that get printed on every receipt (I guess to prevent tax evasion?).
Edit: an example- https://mobile.twitter.com/nneonneo/status/92323100662615654...
I love how often this comes up; whenever someone nerdy visits Montreal the first reaction to seeing those wing-dings is "I must know more!". Like this thread here: https://mailarchive.ietf.org/arch/msg/81attendees/fEjDmtd8Kf...
I get the sense everybody thinks their particular government is specifically bad at IT services.
Quebec actually specifically has a reputation of being slow to adopt technology relative to Canada.
Here’s some results of a longstanding poll. There have also been various official reports to this effect.
https://www.ctvnews.ca/mobile/sci-tech/canada-s-francophones...
I think a number of Canadian IT services are actually quite good. Stats Canada, for instance, is a national treasure.
I've found the CBSA to also be fairly reasonable, but I only needed one thing from it (and a FOIA request).
The QR code tech is good, but its not from Quebec afaik
>vaccine appointment website as well as their proof-of-vaccination has been really well done.
The appointment website is bad:
- No date search (have to click multiple locations just to see they're full)
- Multiple popups everytime you click on a location (are you over 18? Etc. Which could have been saved in cookie)
- They don't reserve the time you selected while filling the (long) PII form just before confirming. This can cause someone to snap it from under you. Either ask PII before clicking the time or reserve it would fix this
> their vaccine appointment website
It would have been even better if they did the "your ticket is reserved" with a countdown to give you time to fill the form.
Yep... that was a bit stressful
Some sites like the Carnet Santé are actually quite well done and easy to navigate.
I'm surprised to be out of the loop on this. This is the first I've heard of Quebec's vaccine passports. As the OP says, it also implies there is an app, with a vendor, an infrastructure, and key management. (smarthealthit and azure as it appears to turn out)
The ethics and legality of vaccine passports are still very controversial, and using Quebec as a test ground for it seems like its part of an inevitable push, independent of popular assent to it. It's force, basically.
Using a JWT is sufficient for the purposes, and the vaccination status is basically a digital ID. This provides some mature and flexible structure to the token format, as opposed to say, a blockchain based one. The scanning app with the URI endpoints is going to be the interesting piece.
Having worked in the design of related concept, the main failure modes here are a compromise of the signing key which is probably in an azure HSM instance, or cached somewhere as just a k8s secret, mobile malware that steals or corrupts tokens, and then infrastructure ddos against that API endpoint during a holiday airline rush. There's also the question of how the code verification app works, as that's where the real vulnerabilites would be.
Given the amount of co-ordination required for a scheme like this to work, it is difficult to believe this is not being done in secret, and if so, why?
Just to add some context re: Quebec.
Quebec's current Premiere is a populist who has been gaining huge amount of popularity points with his constituents (albeit, with Montreal being a bit of an exception) in bucking the Federal government; especially when it comes to matters of the Canadian Human Rights charter.
> and using Quebec as a test ground for it
Who are you implying is using Québec as a test ground? The reality is simple: Québec implemented something of its own volition. Nothing nefarious here.
Given all vaccine passport programs necessarily need federal acceptance and co-ordination for them to be portable outside the province, it is a test for a program by the federal government. Few people have any exepectation that Quebec will conform to national social norms and this is why it's being used as pilot project for what appears to be a national attack on civil liberties.
"What appears to be a national attack on civil liberties"
Nice weasel words. Appears to whom?
We can't require vaccination, but we can certainly prevent unvaccinated people from entering the country. That's been the case in some parts of the world for decades.
Who is Quebec?
There's a nice JavaScript/node version of the decoding code that you can run locally on the shc:/... QR code value here:
https://gist.github.com/remi/e3aa2f78845ee13f706ed83aead5145...
There's also an online version (that works on mobiles and desktops) and decodes everything on the client side:
For reference, the SMART Health Cards Framework (https://spec.smarthealth.cards) is the underlying specification behind these QRs. I've had the privilege of working with a broad swath of the healthcare IT ecosystem (in the US and internationally) on these openly licensed, standards-based specifications for consumer access and data sharing.
The SMART Health Cards Framework is designed to dovetail with SMART on FHIR APIs for consumer access (which all Electronic Health Record vendors in the US are on the hook to support over the next year).
So... looks like it's using ES256. How long would it take to factor the private key?
The security of elliptic curve cryptography is based on discrete logarithms; there’s nothing to factor. Until we get very large quantum computers, the best known attacks are brute force searches taking about 2^128 steps for a 256-bit elliptic curve, which is far outside the realm of practical.
A lot of time... if you're not NSA