eTechnical Details a work in progress version 1.1

Right now I am looking at a X.509v3 infrastructure widely used by the Internet and also a blockchain application.

Since I know how the X.509v3 part works and have the IP to use this in the US, this would be my first preference, but there are political problems in getting states and cities to implement the basic schema, which has existed in digital certificates since 1991 along with the entire suite of tools to make it happen.

Historically this was originally  inflexible being confined to X.500, (back in 1993 people were still thinking about an Internet based Directory, which I managed) but it still gave good results when we applied it to nuclear weapons via the national lab responsible for testing and implementing nuclear weapons treaties. This involved the collection of data and verification of that data of remote sensors or telemetry via the Rose protocol.

It was subsequently extended to the Internet as X.509 version 3, from the original 1988 version  X.509 via RFC-5280 

The ITU X.509 document is from 2016, recent enough to fully understand the concept, a new paid version is available if you plan on actually implementing the standard.

That said, any state or city or government authority, hospital or organization  that wants to implement this already existing PKI infrastructure to implement the rest of the Covid Cleared economic recovery solution is welcome to get in touch.

Typically this would involve working with one of the current Certificate Authorities and setting up PKI if you want to scale outside of your organization.  Internally one can do only an organization specific solution which already exist.

Generally large scale companies like Comcast use X.509 on the back end. It pretty much is the standard basis for security on the Internet.

If you have ever gotten a personal  digital certificate or created a digital certificate for a web site or are knowledgeable regarding how TLS works with a web browser you know how the schema works.

There is nothing preventing you from creating your own certificate authority, (it is built into Mac OS) or via Linux using Open SSL. Beyond using this within a group of friends or within a small group of companies, there is fundamentally no reason a browser will trust this certificate. A browser has pre-loaded root certificates and an extensive set of self determined policy rules to protect end users of browsers called CAB.

To actually create a secure Certificate Authority is hard. There are a lot of requirements. It is a given one will be attacked, since hackers (and Intelligence Agencies) want valid certificates to push malware in the form of software updates. This is a specific use case called CodeSigning. If you sign up to be a developer, a company will sign your code as being authentic when distributed through their App Store.

The Internet and FOSS will more likely be signed via GNUPG.

Government stuff will use NSA as a root of trust, (because they obviously won't trust the companies they can already hack as extensively documented by Snowden), but primarily because it is a specific community of interest with a set of requirements. NIST applies to both government agencies and their security, but also applies generally to a set of standards.

So technically, until we get to issues of resources (like finite processing power versus electricity as a utility) the question of trust becomes what you can afford and how well a company like Apple, Google or Microsoft can bundle all these associated services versus creating your own by either writing software or using FOSS. Each approach has its merits, and it depends on the threat model. Are you being targeted by country level hackers who want to screw up your efforts?

Totally different than other hackers. As such the architecture is somewhat independent of the threat model.

I'm going to assume that you will do the right thing from a security standpoint regarding HIPAA and the Internet and if you don't you will probably be hacked. The net result will be fake Covid test results presented to relying parties. That is a given with any FHIR based solution. It has the same security problems anything on the Internet has. Also applying the requisite security solutions will prevent a significant amount of the problems until zero days are developed. The really good part of the economic model is that it is totally useless for Joe Average Hacker to burn an 0day on an individual, since it is worth so much money. That's a feature of the design.

The very hard stuff to hack is located in a secure cloud implementation already expecting to be hacked.

The relevant Covid test data elements are distributed to individuals to share as they see fit, (being their own health care information) using existing secure transfer mechanisms. The permission scope of the sharing will be the choice of the end user.

Possible variations which can be toggled, while not exhaustive give the general idea of what permissions might look like in sharing your Covid Cleared immunity card.

The assumption here would be this is taking place as an electronic contract, but should you choose to present it in a different way that would be up to you. Each display will have a level of authenticity according to the local social protocol and access to verification devices.

Here is a Brooklyn woke version

"Ah I see you are wearing the new immunity button? Very cool, how does it work."

"Well pretty simply. If  everything is good, it glows green. Yellow if caution, and if it's red, I will take appropriate precautions"

"I'm a maker, how did you do it?"

"I downloaded the parts and plans from Adafruit, programmed some things I learned at CodeAcademy for Circuit Python, and made it into a wearable,  I give them away to healthcare workers in the neighborhood. I integrated the JSON code from Google and Apple to do anonymous Near-field and Bluetooh queries and it told me that you had immunity attribute anonymized broadcast  enabled within 6-12 feet via that Apple Watch you are wearing"

"Very cool, you want to go grab coffee? I work for the EFF and I think we could help."

Here we are mirroring the social distancing with an opportunity to scale.

1. Share only at a geographic, distance, or logically definable  location.

Geo fence an area and share with office mates, people who share a common employee attribute. All the people at a plant. Just the Starbucks. People at the Firehouse, the local Bar.  Anyone on this train.
This is most likely anonymous but able to be contact traced based on your situational awareness delivered into your in phone geographic storage. As in MIT Solid implementation.  Mashed from lat long and other data.


2. Share will people on my contact list, for example friends or office workers.


3. Share information with a specific person or verification device, like an Uber Driver.

The full set of all possible permissions are NP Hard.

The data is infinitely scalable but localized by the preferences of the user.

Any encounter will involve business rules that exist for the environment that can be communicated as a message to the end user in recognition to the official Covid Risk score at that time and place which will be calculated by testing and broadcast by Public Health.

"Hello, welcome to Delaware."

Our beaches are currently closed at Rehobeth. All others are Open

Once downloaded into the smartphone, the keys for the Covid test data reference live in a Secure Enclave on Apple or Android.

Subsequently it is displayed according to the user permissions.

"Hi Peter"

"Hi Bobs"

"Seems like you have some problems with the TPS Reports?"

"No problem, actually I don't do them"

"We are doing a layoff with the Covid, was wondering if you are immune"

"Sorry Bobs, that's on a strictly need to know, that only is shared within the department."

Given the NPhard problem of attribute permissions the idea is to assign or delegate  authority via a authority manager that is capable of being adapted to most situations.

"Sorry, can't go in there. That person is quarantined due to cancer immune suppression".

"But I am Covid Cleared"

"I know, we scanned your Covid status, no problem, however you could have other potential infectious conditions that we don't track, so we could not arrive a mutual risk score to allow entry"


Risk Continued to Country level hackers

A Chinese APT crew hacked an entire healthcare system via a published exploit in a massive system breach, A named exploit, "heart bleed" that had a logo. The healthcare system appropriately responded, within a 24 hour window to patch the vulnerable device once the software was available from the vendor. Good, but not good enough, the APT crew had already stolen the admin credentials, forged them, and exfiltrated all the database data back to China before the patch was applied. Try doing that with 120 million people with the data stored on their smart device.

They can attack the cloud provider itself (not unheard of certainly but clearly possible to defend if there is no obvious negligence by the developer such as leaving access information on Github for example) with various attacks.

Building a HIPAA firewall?

National Security and Law Enforcement already have legal access to your medical records and you have already signed a document that you understand this. It is simply built into HIPAA. Whether you want to participate in a healthcare clinical test is up to you. They don't have automatic consent to make you a test subject based on medical ethics derived from the Nuremberg trials. These fundamental  rights will not be abused by bad software design. Even if you signed that HIPAA notification form to get treatment, there has to be informed consent. That means there needs to a consensus as to transparency.

This is a fundamental tension of combining Intelligence with economic goals and why the Sars-COV-2 virus lays this bare.  We need good intelligence and we need good security and privacy plus we need economic growth and stability. Unfortunately, for whatever motivation, sometimes people want to actively screw around with that (on a case by case basis) until they are detected, and booted out.  This can be categorized as security failures ether on a personal level, or at scale.

Notable examples of failure would be DigiNotar.

Yet at the same time it is very simple to roll some of your own certificates if you trust your peers. Somewhere in between is a subCA that can create their own certificates, that are then trusted by Internet software by virtue of being built by a recognized Certificate Authority but managed by a community of Interest organized around industry groups such Aerospace, Pharma, and Healthcare. Those groups need a consistent approach regarding submitting paperwork to the government and to interact with government systems. As such the encryption is important but the big payoff is in digital signatures for things like clinical drug trials. Digital signatures are an important part of X.509v3 and legally recognized in the US as valid due to work done by the ABA which resulted in the ESIGN law.

In general, as opposed to the hierarchical root of 1988 X.500, the more recent versions of the software modify this. As a result there is no single point of truth (a general problem with distributed systems referred to as the Byzantine Generals Problem in regards to BlockChain). Instead, somewhere after the X.509 and X.500 infrastructure that I managed ended its funding grant from the National Science Foundation,

The actual structure of the attribute certificate versus an identity certificate is less well known, and to my knowledge not as well implemented as identity certificates.  It has been developed in the standard, the basic concept is your identity is fairly well established, (and can be done in a number of different ways) but not by itself

ACME protocol is well established, so getting a web server solution is easy. Users don't understand that encrypting the connection to a website via TLS is only protecting the network connection, not the security of the website.

This c=US architecture solution is both proprietary intellectual property, open source, and importantly an existing  ISO standard. This means traceability and thus a reason to trust the results.

Blockchain

Microsoft is helping with blockchain development, and  I want to pull in partners from my blockchain healthcare contacts.

This is open source. As such there is a delay to get up to speed that will match the delay in the availability of the tests.  Part of the prototype backend is being built on Microsoft Azure, for simplification, it should be able to be built and deployed on any cloud provider however for the targeted community of interest related to your use case.

Who is your use case?  I am focusing on Uber/Lyft drivers. Maybe you are a developer for Epic or a hospital IT admin who develops apps. Perhaps you work for a large company that has an Active Directory foot print. A large college or University. A city government public health department. Maybe a Navy secretary. Someone who focuses on the under served such as the homeless? At some point the solution (or any developed version of the solution) has to be administered and maintained by someone and then scale to specific communities of interest that have their own unique privacy and security requirements.

The TL/dr is that a blockchain approach is very attractive, your blockchain is private,  the labs and healthcare providers are on a public blockchain and they attest to the validity of the serology test by digitally signing the result. There are existing healthcare data transfer and verification mechanisms that can be pulled in.

As a patient you have every right to voluntarily share your Covid status with whomever you want. This is a vast simplification from public health that must maintain a privacy shield around people who test positive with the rtPCR test. Your right to use your health data is informed consent and part of a larger set of immutable rights for every human regardless of political location.

What we see now in some Covid applications is a questionable application of human rights. So this must be addressed in the requirements. Public Health, Law Enforcement and National Security can share this data as they see fit per regulations. As an individual you do not have these restrictions but neither can you stop them from gathering data. Ultimately they need to commit resources, but at this point they failed the containment phase by allowing the spread of the virus. We don't also want them to fail the recovery phase by stopping people from working who have tested immune. I hope that is logical, it has been endorsed by public health officials.


A healthcare provider must share it with you in a format you choose. To make it simple for the prototype  we will use the already exisiting FHIR protocol that can transfer data into Apple health. At that point the app or native applications will display the data or communicate the data in the format that you wish, QR code, NFC, Air Drop, email as an attachment, and so on.