Objective
Good Health Pass compliant implementations must meet baseline security and privacy requirements that enable holders to maintain full control of their personal data.
Terms of Reference
All stakeholders in the Good Health Pass Collaborative digital trust ecosystem need to be confident in the security and privacy protections that the ecosystem enforces. In some jurisdictions, these protections are already required by existing data protection regulations; in other cases, governance authorities may seek to pass new legislation to enshrine them in law.
...
- Privacy by Design and Default
- Non-linkable transactions: to prevent unintentional correlation of the holder
- Data minimization: to enable selective disclosure of only the data strictly required by a verifier
- Zero-knowledge proofs: privacy-preserving cryptography that supports selective disclosure
- Privacy-preserving protocols: to help ensure that a user is not tracked when presenting their credentials
- Transparency: to provide sufficient information to the holder about the processing of their personal data
- Purpose limitation: to collect personal data for specified, explicit and legitimate purposes and not process it in a manner incompatible with those purposes
- Auditable and informed consent (or delegation of consent)
- Security by Design and Default
- Secure transmission of verifiable credentials
- Secure storage of verifiable credentials (e.g, cloud- or edge-based wallet)
- Secure issuance of verifiable credentials
- Secure verification of verifiable credentials
...