Privacy-friendly QR codes for identity

Back to the list of Speakers and Sessions
Watch the stream
Presenting personal information in the form of a QR code has become a daily reality for many during the Covid pandemic: in Quebec, people showed their immunization information using the government-issued VaxiCode, a SMART Health Card (SHC) credential that follows a medical standard adopted in Canada and in many other countries. The paradigm of presenting information about oneself can easily be generalized beyond this health scenario. In this presentation, I’ll first give an overview of the SHC framework, focusing on its security features and describing its deployment in Canada. I’ll then present a generic framework to issue QR codes that can encode attributes of any type. I’ll introduce a strong privacy feature allowing users to only disclose a subset of the encoded attributes, addressing one of the main privacy critiques of SHCs. Finally, I’ll give a demonstration and describe the open-source specification and reference implementation for this generic framework.

Outline of the presentation:

  • SMART Health Card (SHC)
  • Overview of the SHC framework, and of its overseeing organization VCI
  • Security analysis of SHC, including: key management, cryptographic signatures, revocation of issuers and SHCs, and trust establishment (trusted issuer directory and auditing)
  • Claims QR
  • Presentation of the Claim QR framework for generic attributes
  • Hash-based mechanism for selective disclosure of attributes
  • Overview of the open-source specification and reference implementation
  • Demo (issuance and validation of generic attributes)
  • Q&A