Make approved trust list publicly accessible #10
Comments
|
+1 on this. We found a list hosted by the TU-Graz (AT) regards |
|
using this list we are able to validate barcodes issued in Austria |
|
Edit: The EU currently does not plan on hosting such a list. Please contact the member state you are operating from or in contract with, they are responsible for distributing the trust list. |
|
Most countries publish their public certificates - as they are public. However the company & their expert suppliers that operates the joint gateway are concerned of all sort of 'attacks' - and for this reason insists on putting the joint list of public keys behind TLS-client auth. The reasoning behind this is not entirely clear to most of us. The Netherlands publishes its public keys at https://www.npkd.nl/csca-health.html - publicly. |
|
Thanks, ok I get the point, and its also not entirely clear for us ;) Thanks for the list of NL keys. Austria is currently only publishing a test list here: Will try to get into contact with officials and keep you updated. thanks |
|
There seems to be a multitude of open issues around github regarding the access to a global trustlist and they all point here, let me share my experience and thoughts. I was able to get access to the list via our (Finland) national provider in half a day (1 email & 1 webform today) and I've implemented a certificate database which downloads new certs and the list of valid key ids (for pruning old ones) regularly. I can validate the COSE of my own vaccination EHC successfully with the FI-issued public cert. My database currently has 133 active certs from AT BE BG CY CZ DE DK EE ES FI FR GR HR HU IE IS IT LI LT LU LV MT NL NO PL PT RO SE SI & SK. Of course I cannot share the database or open a JWKS type service because that would put me in a man-in-the-middle position (no amount of disclaimers would stop people from trusting the informal list of keys). I fully understand that the EU wishes to allow member states to implement their own backends for this and also filter certs or add national variants etc.. but still this seems overly complicated that not even the list of valid cert fingerprints (from which the first 8 bytes are used as key ids) is not published as a static & signed list anywhere. I strongly feel that some sort of discovery service run by the EU would be a bare minimum (returns a JSON object of country codes mapped to metadata including API URLs) and that member states should run a JWKS-style public service for keys. I have no idea how well prepared other countries are to support developers and I applaud our officials for the straightforward process and quick turnaround (they are also updating the public websites based on my feedback). Maybe this github repository could include links to every national provider of the trust store so developers know who to contact? |
|
I totally agree. JWKS style public keys is what the SMART Health standard used by some canadian provinces and California is using for their vaccination QR codes: https://github.com/smart-on-fhir/health-cards/blob/main/docs/index.md |
|
Here is my contribution: https://github.com/lovasoa/sanipasse/blob/master/src/assets/Digital_Green_Certificate_Signing_Keys.json This is a versioned and automatically updated list of signing keys from all member states, extracted automatically from the french backend, and updated twice per day. |
|
I agree with the discussion here. If the list is not publicly available, at least there should be a simple verification process to get an API key to get access to the list, with all the protection/throttling/terms and conditions associated with it. This is unnecessarily imposing restrictions for building on this further, especially for services across-state. |
This is great - I am going to get in touch with the Swedish counterpart and see if I can get a list. If more people could do the same, one could simply download all of them to verify and not have to rely on just one. |
@jbx1 As it is, this is not a technical but a political issue. Member states have sovereignty over the trust list, not the European Commission, that is why there is no central list, nor a central place to request access. However member states are free to provide easy access to the list if they so choose. |
|
Actually - I’ve not heard that argument made. If that is indeed the reason - fair enough. But sofar - the arguments made by the operators is that they worry (rightly/fairly) about a deluge of trust-list fetches from verifiers in the field - with whom they have no relation / no desire to serve.
|
|
@daniel-eder Yes I understand the reasoning might have been political, but it makes no sense at all. How state A has sovereignty to share the public key of an unrelated state B within the territory of state A is beyond me. When state B is sharing its public key (which by its very nature is public, so safe to share) with all other member states, it is doing effectively the same thing. There could still be verifications that who is requesting them is an EU company/resident, just like is done in .eu domains, and make it available through an API key, to at least even protect against DDOS attacks etc. |
|
I just found the trust list provided by Germany: Its in yet another format. Documentation: I didn't manage to verify the signature of the trust list itself, though. See my question here: |
Nice & Thanks! We have created a mirror for public known trustlists. We have access to the German / Austrian and thanks to this post to the French trust list. We well add the Austrian Trustlist in the next days. https://github.com/section42/hcert-trustlist-mirror/settings Maybe this will help someone, feel free to use. regards |
|
Where is the official Austrian trust list? I'm from Austria and would need that one but can't find it, only the test list mentioned above. |
|
We found the trustlists by looking at the check apps provided by the different countries. |
|
Hi, who should I ask for European certificates? Italy etc ..? |
|
You should get in touch with the national health authority of the country you are operating your application in. The national backends will allow to verify certificates from other EU member states as well. @EdossProject |
|
Best to ask the authority in your own country.
And the one Sweden has done is drop dead gorgeous:
https://dgcg.covidbevis.se/tp/
The dutch one is at:
https://www.npkd.nl/dsc-health.html
https://verifier-api.coronacheck.nl/v4/verifier/public_keys
Dw.
|
There is no e-mail or anything else to contact them! |
How about other non EU countries? For instance, if the institution is in the US and needs to get all public keys for EU countries, who should we contact? |
|
@MA1GitHub the process is roughly the same. Once a country has been onboarded and can interact with the system, it can also provide access to public keys to private institutions. That means, the first step is always to get in touch with your national health authority and see if they already established contact with the EU. |
|
Everyone gets everyone's public keys. |
|
Links have already been posted in this thread to various public lists from member states. The subject of publication by the EU of the list is AFAIK still ongoing. That discussion lives by the eHealth Network, there will likely be some kind of update on our GitHub (https://github.com/ehn-dcc-development/) once more is known. |
Thanks for listing the links. |
The payload is in base64, if you have access to a POSIX terminal:
|
|
FYI, the links are also collected on https://github.com/section42/hcert-trustlist-mirror. Example code for loading all of the trustlist mirror lists (for the purpose of verifying certificates): https://pkg.go.dev/github.com/stapelberg/coronaqr/trustlist/trustlistmirror |
|
Thanks for listing the links.
The endpoint (https://verifier-api.coronacheck.nl/v4/verifier/public_keys <https://verifier-api.coronacheck.nl/v4/verifier/public_keys>) returns a signature and a payload, how can we get the public key list from the response?
https://www.npkd.nl <https://www.npkd.nl/> or the standard chain on most operating systems (CA of The Netherlands).
Dw
|
Thanks for the clarification. javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Does it mean I have to get a certificate? If so, where can I get it from? |
|
This script shows how to get the Italian trust list: https://github.com/ministero-salute/dcc-utils/blob/master/examples/fetch_certificates.js |
|
Posting this here since a lot of people were actively participating. Some countries are actively changing the expiry periods for vaccination certificates, especially the ones given last year. Looking for some central place from where to get these. |
|
Ours are here: https://verifier-api.coronacheck.nl/v6/dcbs/business_rules The payload is base64 encoded JSON. Otherwise it's the raw data returned by the gateway. |
|
URLs and descriptions of the Austrian rules can be found here: |
|
@panzi Nice overview! Do you mind if I backlink to this? |
|
It's not my repo, it's an official repo of the federal ministry of health Austria. |
|
@panzi Understood, and I'll take it as a “yes” :) |
and others
Why would you put the master trust list behind mTLS auth?
Priority should be assigned to distributing a verifiable trustlist to everyone who wishes
to validate the contents of DGCs. The certificates/pkeys are not sensitive
and should be made accessible to everyone.
If you don't want to serve this via an API at least
consider hosting a static daily dump (+ signature) of the trustlist in a publicly
accessible location.
The text was updated successfully, but these errors were encountered: