CH: testdata contains live, validating certificates #387
Comments
|
@SchulzeStTSI can you look at this and evaluate? |
|
I haved scanned the dgc-testdata json files against the production trustedList kids. Affected countries: Affected keys: 2
There could be more misuse of the keys. In the case of Spain, the signed dgc is not present in png format. |
Affected Country: CH
Issue Description
Out of curiosity, I checked dgc-specs on certain details and scanned various QR codes from different countries, using the iOS release versions of both "CovPass Check" (Germany) and "CovidCheck.lu" (Luxembourg), installed on iPhone via Apple's (German) App Store.
Most tested QR codes did "fail" validation using those live/release/production apps, which is what I'd expect from test data, and CovidCheck.lu also presented more metadata.
However, I also noticed a number of scanned QR-codes from the swiss testdata set ( https://github.com/eu-digital-green-certificates/dgc-testdata/tree/main/CH/ ) do perfectly validate with a green checkmark. The swiss QR codes 1,3,4,6,7,8,10,12,13 and 15 scanned by both apps do give a green checkmark and specify various identities of two female and two male first names (Martina Studer and Giulia Rosse born in 1964, Hans Muster and Hans Tester born in 1950). The only odd thing about some of those certs is the reference to "2 out of 2 vaccinations" for the one-shot Janssen vaccine - which an app is unlikely to notice.
I'm perfectly aware the full validation process in live requires checking the certificate's full name and DOB with official photo id (e.g. passport or ID card), so if everyone is following the rules, this is not a security risk. However, the general public is being warned across Europe not to share their QR codes on social media, as imposters might just copy those codes and hope on venue owners skipping the mandatory photo ID check, relying on "first name matches the person's sex and the DOB does look somewhat reasonable"). So publishing official and validating QR codes with reasonable metadata as part of the test data repository is possibly not intended. As the QR codes of other countries don't pass the validation apps, this is a CH-specific issue, but possibly requires broader clarification.
I tried searching for a policy on what kind of testdata should be used or how testdata should be generated, but couldn't find any. I tried finding a policy on security-related aspects of testdata or how to report possibly security-related issues, but couldn't find any as well.
Proposed Solution
Short-term (member state issue): ask Switzerland to revoke their test certificates, to prevent illegitimate use of their test certs. I've checked dozens of other QR codes from cdg-testdata, they don't validate with production apps and so revoking those certs shouldn't cause much harm, as nobody should rely on the validity.
Long-term (general issue): specify a policy, naming the intended use of test-data and how to properly create and use test data. A specific section in this policy should address security concerns - how to prevent test certificates from being misused in production.
Some simple ideas:
The text was updated successfully, but these errors were encountered: