Building an SSI Ecosystem: Health Passes and the Design of an Ecosystem of Ecosystems


Ever since the Covid pandemic started in 2020, various groups have seen verifiable credentials as a means for providing a secure, privacy-respecting system for health and travel data sharing. This post explores the ecosystem of ecosystems that is emerging as hundreds of organizations around the world rise to the challenge of implementing a globally interoperable system that also respects individual choice and privacy.

Vaccination Card

In The Politics of Vaccination Passports, I wrote about the controversy surrounding proposals to require people to show proof of vaccination to travel–specifically fly. The worry is that once we get used to presenting a heath credential to travel, for example, it could quickly spread. Presenting an ID of some kind could become the default–with bars, restaurants, churches, stores, and every other public place saying "papers, please!" before allowing entry.

My personal take is that while I'd rather avoid that scenario, it is likely inevitable. And if that's true, I'd love to have it designed in a way that respects individual choice and personal privacy as much as possible. This is a tall order because getting the tech right is only the first step on a long road. The air travel industry is global, gargantuan, and incredibly decentralized. Building an interoperable system of travel passes requires not just an ecosystem, but an ecosystem of ecosystems.

Suppose Alice lives in Naruba and has been vaccinated against Covid. The local hospital where she was vaccinated has issued a credential to Alice with the data about her doses, the dates, vaccine batch numbers, and so on. Alice is traveling on business to the Emirate of Kunami which requires proof of vaccination. To fly, Alice must present a health pass to the gate agent who works for Kunami Air in the Soji airport. How does Kunami Air know they can trust a credential issued by a hospital they've never heard located in another country?

Building a global, interoperable health and travel pass network requires both technology and governance. This sort of situation isn't new. In fact, if we replaced "proof of vaccination" with "airline ticket" in the preceding scenario, we wouldn't think anything of it. Different companies from different countries have been figuring out how to interoperate and trust the results for decades, maybe centuries.

But doing that digitally, and quickly, is a big job with lots of moving parts. Below I take a look at a few of those parts and how they come together to solve the problem.

Good Health Pass Collaborative

The Good Health Pass Collaborative (GHPC) is an "open, inclusive, cross-sector initiative" of dozens of companies from the travel, health, and technology industries that is defining the blueprint for health and travel passes that are privacy-protecting, user-controlled, equitable, globally interoperable, and universally-accepted by international travel.

GHPC is very specific about what a "pass" is:

A credential to which data minimization and anti-correlation have been applied and any relevant travel data has been added so it includes only what a verifier needs to make a trust decision in a specific context (such as boarding a plane).

A credential could have lots of health and travel data. The pass contains just the data needed for a specific context.

GHPC published a set of ten principles in February to guide their work. These principles lay out a path that is consistent with self-sovereignty, respects individual autonomy, and promotes good privacy practices.

In June, GHPC published a blueprint that provides recommendations for building a good health pass. The challenge of meeting the principles, while exchanging health data across different industry sectors can be overwhelming. The blueprint provides specific guidance on how to meet this challenge without sacrificing the principles that make a health pass "good." The recommendations include designs for trust registries and frameworks, data and protocol standards, and other components for the global interoperability of COVID certificate ecosystems.

These efforts say what a good health pass is and give guidance for creating a credential ecosystem, but they don't create any such ecosystems. That's a job for other organizations.

The Global COVID Certificate Network

The GHCP Blueprint provides recommendations about trust registries and frameworks, data and protocol standards, and other requirements to create global, interoperability ecosystems for COVID certificates. The Linux Foundation's Global COVID Certificate Network (GCCN) "operationalizes and adapts the GHCP Blueprint recommendations for governments and industry alliances who are working to reopen borders." You can think of GCCN as an instantiation of the GHPC Blueprint.

Going back to our traveler, Alice, we can imagine that Naruba and Kunami both have national health systems that can follow the blueprint from GHCP. When Alice uses her health pass inside Naruba, it is reasonable to expect that Narubian businesses will know what a real Narubian health pass looks like and whether to trust it or not. To make this possible, the Narubian health ministry would determine what data a legitimate pass contains (e.g. its schema) and what forms it takes such as the paper design and digital format. The ministry could also determine who in Naruba can issue these health passes and even set up a registry so others in Naruba can find out as well.

This kind of one-size-fits-all, single-source solution can solve the local problem, but when Alice is interacting with people and organizations outside Naruba, the problem is much harder:

  1. Naruba and Kunami may have adopted different technologies and schema for the credential representing the health pass.
  2. Random organizations (and even people) in Kunami need to be able to establish the fidelity of the credential. Specifically, they want to know that it was issued to the person presenting it, hasn't been tampered with, and hasn't been revoked.
  3. In addition, these same entities need to be able to establish the provenance of the credential, specifically that it was issued by a legitimate organization who is authorized to attest to the holder's vaccination status.

This is where GCCN comes in. GCCN has three components:

  1. a trust registry network
  2. a certificate implementation toolkit
  3. a set of recommended vendors

The trust registry network and its associated protocol not only helps Naruba and Kunami each establish their own registries of authorized health pass credential issuers, but also enables a directory of registries, so an organization in Kunami can reliably find the registry in Naruba and discover if the issuer of Alice's credential is in it.

The toolkit provides several important components for a working ecosystem:

  • a template for a governance framework that governments and industry alliances can use to make their own policies.
  • schema definitions and minimum data sets for the credentials.
  • technical specifications for the software components needed to issue, hold, and verify credentials.
  • implementation guides and open source reference implementations.
  • guidance for creating the governance framework and technical implementation.

The vendor network provides a commercial ecosystem to which governments and industry associations can turn for support. The vendor network provides a set of organizations who have competence in building credential ecosystems. Over 25 separate companies and organizations support GCCN.

With all this, GCCN doesn't actually build the ecosystems. That falls to organizations who use GCCN to instantiate the framework provided by GHPC.

Building the Ecosystem

One of those organizations is Cardea. Cardea is a fully open-source and field-tested verifiable digital credential that meets the major requirements of the Good Health Pass Blueprint. Cardea was developed by Indicio and is now a community-led project at Linux Foundation Public Health (LFPH).

Cardea was trialed on the island of Aruba by SITA, one of the participating companies in the Cardea initiative. SITA is a good partner for this since they're responsible for a majority of airline industry IT systems. In the pilot, travelers could prove their Covid test status at restaurants and other tourist locations around the island. The combination of a good trust framework, and self-sovereign-identity-based credential technology allowed businesses to trust tourists' health information while preserving their privacy.

Another example of a working health pass credential ecosystem is the IATA Travel Pass. Travel Pass has been developed by the International Air Transport Association (IATA) and leverages verifiable credential technology from Evernym. The IATA Travel Pass is conducting initial pilots with over 50 airlines and the International Airlines Group (IAG).

A third example is Medcreds from ProofMarket. Medcreds uses the Trinsic API to provide service. MedCreds partnered with the Georgia Academy of General Dentistry to provide free COVID-19 test credentials to their providers and patients. MedCreds allows dentists to reduce the risk of spreading and contracting COVID-19 by knowing with greater certainty the status of a patient's most recent test.

Cardea, IATA Travel Pass, and Medcreds have tools for hospitals, labs, and other organizations who issue passes and for the airlines and other venues who verify them. All also have wallet apps for credential holders to use in receiving credentials as well as presenting the proofs that constitute the actual travel pass from those credentials. In addition, all three initiatives include governance frameworks that service their respective ecosystem.

Because all three are compliant with the GHPC's Blueprint and GCCN's architecture and guidance, the ecosystems they each create are part of the global ecosystem of ecosystems for health and travel passes. As more organizations, countries, and technical teams join in this, the global ecosystem of ecosystems will constitute the largest ever verifiable credential use case to date. The planning, design, and implementation show the level of effort necessary to create large credential ecosystems and provide a path for others to follow.

As I said in The Politics of Vaccination Passports, I'm persuaded that organizations like the Good Health Pass Collaborative and Global Covid Credential Network aren't the bad guys. They're just folks who see the inevitability of health and travel passes and are determined to see that it's done right, in ways that respect individual choice and personal privacy as much as possible.

Photo Credit: COVID-19 Vaccination record card from Jernej Furman (CC BY 2.0)

Please leave comments using the sidebar.

Last modified: Mon Sep 20 10:03:47 2021.