When the “Certify API” is called by a vaccinating system, a unique QR code is generated for that specific event. This document specifies the data structure that can be used to generate a QR code-based digitally verifiable certificate for a registered health event.
The payload structure follows the JSON Web Token (JWT) digital signature and is defined in RFC 7519. The payload is transported in a DIVOC certificate. JWT includes the following:
Header
Payload
Signature algorithm
This contains the information about the certificate, which is based on the W3C verifiable credentials data model. The header also indicates the type of certificate being issued.
This is divided into several parts:
The first part contains the details of who is issuing the certificate along with the timestamp.
The second part contains the details of the beneficiary to whom the certificate has been issued.
The final part contains details on the event for which the certificate has been generated. The event part has details of the health event (such as vaccination) along with a timestamp, which includes information on the type of vaccine, dose details, and location of the vaccination.
DIVOC is capable of self-generating a public-private key pair. It also supports a signing configuration where the country has onboarded a CA (certificate authority) responsible for generating the keys. In the latter case, DIVOC will use the private key issued by the CA and sign the QR code.
The DIVOC certificate is flexible and multiple signing algorithms can be used.
Self-generated keys or the keys from a country’s PKI service provider can also be used. DIVOC currently uses two default signature algorithms:
1. PS256 - Using "crit" with "b64"
(https://w3c-ccg.github.io/security-vocab/#RsaSignature2018)
2. ES256
(https://w3c-ccg.github.io/security-vocab/#EcdsaSecp256k1Signature2019)
Click here to see the various versions of the algorithm.
The public key along with the method of signing will be provided to verifiers to authenticate certificates.
Based on the algorithm that is being used for certificate generation, the certificate can be verified by the verifier.
Click here to know more about what data set goes inside the QR code.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.