key: cord-0460658-zrs0ougt authors: Barros, Mauricio de Vasconcelos; Schardong, Frederico; Cust'odio, Ricardo Felipe title: Leveraging Self-Sovereign Identity, Blockchain, and Zero-Knowledge Proof to Build a Privacy-Preserving Vaccination Pass date: 2022-02-18 journal: nan DOI: nan sha: 17c4eb3d4da32bef8b35305a4e70876d526fefd3 doc_id: 460658 cord_uid: zrs0ougt The current humanitarian health crisis popularized the debate on data privacy. At the same time, several cities, states, and even countries put the mandatory presentation of health pass to access services into practice. In this article, we explore the concepts of self-sovereign identity, blockchain, and zero-knowledge proofs to propose a solution to the problem of presenting proof of vaccination. This solution allows users to prove that they are vaccinated for different pathogens without revealing their identity. The architecture is loosely coupled, allowing components to be exchanged, which we discuss when we present the implementation of a working prototype. The COVID-19 pandemic surprised the world, generating an enormous health crisis with profound social and economic implications. Reopening the economy becomes a latent issue as many countries are vaccinating considerable portions of their populations [44] . The transition period between the prohibition of access to services and the complete and unrestricted reopening of the economy has been marked by the use of proof of vaccination for the SARS-CoV-2 virus, commonly called COVID passports, or COVID pass [32] . Countries, states, and cities are now demanding proof of vaccination, as is the case in the city of São Paulo [43] and the state of New York [42] . Such vaccination certificates help economic recovery, allowing vaccinated people to access services that invariably require close contact with others. However, the use of vaccination certificates poses privacyrelated challenges. For example, you need to ensure that whoever presents a vaccination certificate is who they say they are. It is not trivial to solve this problem without deanonymizing the certificate submitter. Another challenge is to allow a vaccinated person, in addition to proving their vaccination anonymously, not to reveal which laboratory manufactured their vaccine or even the exact date of vaccination. Vaccination certificates can be made in various ways, from a physical version of paper or plastic card to electronic. While the physical version is more vulnerable to fraud and doesn't solve the challenges listed above, it's cheap and readily available to everyone. The electronic version, which presupposes access to technology, can offer greater privacy, security, and scalability if properly designed and developed, possibly successfully tackling the challenges described above. One promising way to attack such challenges electronically is to use Self-Sovereign Identity (SSI). SSI is a user-centric paradigm of digital identity [1, 46] . In an SSI-based ecosystem, the user is central to identity management, having control and cryptographic guarantees over shared personal data. The SSI concept is especially relevant in sensitive personal data, such as health data. In addition to GDPR [14] , health data generally have specific legislation, such as HIPAA [6] , which establishes a legal framework requiring special care regarding the storage, handling, and sharing of health information. We tackled the challenge of creating a digital vaccination pass that respects users' privacy in this work. It allows their proof of vaccination to be verified while reducing the exposure of personal and health data. Our SSI solution to this challenge maintains user anonymity through blockchain and Zero-Knowledge Proof (ZKP). This article is organized as follows. In Section 2, we present the concepts of Digital Identity and Self-Sovereign Identity. Section 3 introduces concepts required to follow this work, namely Verifiable Credentials (VCs), ZKP, Decentralized Identifiers (DIDs), and Blockchain. We present our proposal and detail our implementation in Sections 4 and 5, respectively. In Section 6, related works are discussed, and in Section 7, we close the article presenting our conclusions. ISO 24760-1, which addresses security and privacy for identity management, defines digital identity as "a set of attributes related to an entity" [30] . In [11] , digital identity is defined as the representation of an entity linked to a specific context. Linking digital identity to specific contexts is a commonly accepted idea in the literature [18, 46, 31] . Identity management also called Identity and Access Management (IAM), is a set of policies, processes, and technologies related to the administration of digital identities [30] . [46] An identity management system defines how entities are identified, authenticated, and authorized to access restricted access services [18] . Digital identity and IAMs can be modeled in different ways. In this section, we describe the three traditional models of digital identity [1] , pointing out their problems to, finally, explain SSI and how this fourth model attacks the issues of the previous models. The isolated model was the first identity model. It is the simplest model [18] , as depicted in Figure 1 (a). In this paradigm, only the user and the service provider (SP) exist, and the SP also operates as an Identity Provider (IdP). Each web service that requires authentication and authorization must implement its own IAM. One of the consequences of this model is that users have many digital identities spread across different online services. Furthermore, each SP has to bear the costs of implementing and maintaining an IAM, which involves protecting against possible attacks, vulnerabilities, and taking care of the demands imposed by GDPR. The natural evolution of the previous model is the separation of IAM functionalities into a specific service for this purpose, giving rise to the identity provider as a service in itself. In this way, the IdP positions itself as an intermediary between the user and the SP, as shown in Figure 1 (b). In this model, the SP outsources identity management to the IdP. This model tackles the problems of (i) usability, i.e. users having many accounts, and; (ii) responsibility of SPs, i.e. SPs having to design, implement and care for sensitive user information. In this model, users do not need to have several distinct identities, and SPs do not need to implement their own IAM framework. However, this model generated unexpected consequences, such as an immense concentration of data in the hands of a few IdPs, e.g. Facebook, Google, and Twitter. These companies have become substantial data silos, trapping people in an oligarchy of few IDPs without portability among themselves [46] . By concentrating high amounts of personal data, these silos have become centers of attention, decoys for attacks. In addition, issues such as data leaks, security, data property, and privacy raise concerns. The data belongs to users, but they do not own and control them and are unaware of all services that consume them. One of the answers to the problem of users having to hand over their data to an IdP was given by the user-centric identity model [31] , illustrated in Figure 1 (c). The proposal is for the user to store access credentials issued by SPs in a personal authentication device, such as a smartcard or smartphone. The user authenticates to the personal authentication device using a PIN code or another method, and the authentication device, in turn, authenticates with the SP. Although this model advances privacy, allowing the user to control their access credentials, it does not address the management of user attributes or the incorporation of attributes guaranteed by third parties. The latter issue is of great relevance, as many SPs will only trust the value of attributes if they are issued by the IdPs they trust. For example, a car rental company will not accept a driver's license if the user issues it. Although a precise definition of SSI is still under debate, as discussed in [46] , [40] and [18] , the SSI literature solidifies the idea that the user should own and manage their data. In other words, both attributes and credentials, which can be self-signed or signed by third parties, must be controlled only by users, who present their data to SPs whenever they desire. This is depicted in Figure 1 (d). Therefore, users can choose to have few or many digital personas, and no silos of personal data are created. In 2016, Christopher Allen proposed ten guiding principles for SSI [1] , and although it is a blog post, it is treated as a whitepaper in the area [46] . The ten principles are as follows. (i) Existence; the user must exist independent of any service provider/identity provider. (ii) Control; the user must control their identities. (iii) Access; the user must always have access to their data. (iv) Transparency; all systems and algorithms must be transparent to the user. (v) Persistence; identities must be persisted. (vi) Portability; the services and information about the user's identity must be transportable. (vii) Interoperability; identities should have as wide a range of use as possible across different systems. (viii) Consent: The user must always consent to the usage of his identity data. (ix) Minimization; when necessary to show some information, always show as little as possible to accomplish the task. (x) Protection; users' rights must be protected. While it is possible to implement SSI without Blockchain [5] technology, using it brings significant benefits. For example, storing credential revocation schemes on the ledger brings high availability and an immutable record of revoked data. Another advantage is to remove third parties when establishing trust by allowing entities to be part of the network and prove they are who they say they are in novel ways. For instance, a customer physically accessing a bank agency scans a QR code posted on the wall and connects to the bank, thus not requiring the bank to have an x509 certificate within a PKI hierarchy nor an IANA-controlled DNS domain. Finally, using blockchain to implement SSI fosters an ontologically coherent ecosystem, as it publishes credential metadata that can be reused and augmented by all participants. This section introduces the fundamental concepts needed to understand this work. These are the decentralized identifiers, verifiable credentials standards, the concept of Zero-Knowledge Proofs (ZKP), and blockchain. SSI aims to give users control over their data. Part of this effort consists of ensuring that communications in peer-topeer relations do not involve third parties. However, trust in today's communications over the internet is rooted in thirdparty authorities: chains of certificates tied to root certificate authorities (CAs) chosen a priori by browsers and operating systems. The decentralized identifiers (DIDs) standard is being developed at W3C to mitigate the participation of authorities in communications and relationships in SSI [52] . DIDs are designed to operate independently of centralized registries, identity providers, and CAs. Every DID is linked to a unique DID document, a JSON structure that can be stored on-chain or off-chain, that describes an entity, specifying public keys, service endpoints, etc. For instance, an entity can be a person, a group, a relationship between entities, an organization, or an internet of things object [52] . The format of a DID identifier is a textual string composed of three parts separated by colons, where the first part is always DID; the second is a method identifier; the third is an entity identifier in this method. A DID method is a technique that describes the creation and management of method-specific identifiers and how to obtain their respective DID documents. For example, the did:indy method describes identifiers on Hyperledger Indy blockchains, while the did:key method describes identifiers generated from cryptographic keys. An example of DID address of this method is did:key:z6MkpTHR8VN sBxYAAWHut2Geadds9dVWtWAnuB. Working with user attributes is a crucial part of any system that operates with digital identities. Attributes are commonly organized into structures called credentials, which are also used for identification and authentication. A credential contains a set of one or more claims made by an issuer about an entity [40] . More formally, a credential is a set of claims and not attributes because claims can be false or represent an incomplete perception of the whole. In contrast, attributes are properties, i.e. absolute truths, of entities. Verifiable Credential (VC) is a set of claims and metadata that can cryptographically prove the identity of the issuer through a digital signature, providing integrity and authenticity [51] . VCs have metadata that describes the issuer, expiration date, public key, and revocation information. Regarding the latter, the cryptographic accumulator is often employed to create private-preserving revocation registries. The cryptographic accumulator is an algorithm that combines a set of values into one short accumulator, such that evidence is produced that the accumulator incorporated a given value without revealing it. [17] . Part of the W3C VC standard defines the verifiable presentation (VP) of claims [51] . VP is the process of revealing one or more claims to a verifier. The verifier may or may not trust the claims presented but must always be able to verify integrity and authenticity. VPs can also reveal the result of operators on claims, for instance, that someone's birth date was at least 18 years ago. This technique is called Zero-Knowledge Proof (ZKP). Zero-Knowledge Proof (ZKP) is a cryptographic protocol where one proves to someone else that they know a value, but without revealing any other information other than the fact that they know it [47] . Formally, ZKP is an interactive proofing system ( , ) for proving a language membership statement over a language = {0, 1} * with two actors, the prover and the verifier . To prove that an instance ∈ , and must share , denoted by ( , )( ). Then, and exchange a sequence of messages so that at the end of the interactions, the result is ( , )( ) ∈ { , }, representing the acceptance or not of for the statement of that ∈ [29] . ZKP schemes must have two properties [20] : (i) completeness, an interactive proof is complete if the participants are honest, i.e. follow the protocol correctly, and the protocol succeeds with overwhelming probability; and (ii) soundness, an interactive proof is sound if a dishonest prover can only mislead with negligible probability. ZKPs are not proofs in the mathematical sense as there is a small probability of convincing of a false statement. Thus, multiple protocol instances are used to reduce the likelihood to a negligible probability of convincing of a false statement. In the context of VCs, ZKPs are used to build VPs that convince the verifier about something concerning the claims it contains without revealing them. For instance, a driver's license was issued to me and is valid, or my credit score is higher than a given threshold. To reduce the communication between the prover and the verifier, Non-Interactive Zero-Knowledge Proof (NIZKP) [39] is used. NIZKP enables proofs to be built and sent via an out-of-band method, such as a QR code. This technique uses Fiat-Shamir paradigm [19] to remove interactions from the protocol. Most SSI systems [40] use distributed ledger technology to: (i) decentralize storage and, consequently, reduce authoritarian control over data; and (ii) have guaranteed immutability of the information stored in the ledger. Those features are possible because of the properties of blockchain data structures such as append-only hash lists and Merkle trees [38] . In a blockchain, blocks of data contain, together with its data, the hash of the previous block. Thus, to modify the data of a single block within a sequence of linked blocks (i.e. a chain), one would need to change all subsequent blocks. Having an append-only structure guarantees immutability on a local level. Nonetheless, this structure must be distributed in a network, and all participant nodes must agree on the correct values of the blocks. This agreement is achieved through a consensus algorithm. Most solutions for this problem are attempts on solving the Byzantine generals problem [34] . The most popular solution to this problem are algorithms based on proof of work, popularised by Bitcoin [41] . The undertaking of designing a credential for COVID vaccination is complex. Such a credential must comply with different actors from different areas, both local and international. Several study groups and collaborative efforts [21, 37, 55] were formed around the world to design or standardize these vaccination certificates. One such initiative, the Good Health Pass Collaborative (GHPC) [21] is a multisector initiative to create a blueprint for the interoperability of digital health pass systems [23] . In their first White Paper, the GHPC initiative defined four critical requirements that health credential systems must satisfy [22] : (i) the credential must be able to work across borders and comply with local and international legislation; (ii) the credential must have the collaboration of different areas such as health, governments, tourism, travel, etc; (iii) the credential must comply with privacy and data protection regulations and must be able to link to the credential holder; and (iv) the credential shall not add costs or other burdens to users. This work aims to comply with these requirements, adopting open-source tools and open standards as a way to make this technology available. SSI introduces essential ideas and principles regarding people's privacy. The ten principles are especially relevant in the contemporary context of the COVID-19 pandemic, which has accelerated the digitization of society and popularized the debate over the privacy of health data [32] . Based on the ten SSI principles, the concepts discussed above, and the requirements laid down by the GHPC, it is possible to tackle the challenge of allowing a person to prove their vaccination status while preserving their privacy. In other words, to prove whether or not one is vaccinated for a disease without revealing when or where they were vaccinated or even hide the laboratory that produced the vaccine. Our proposal for a proof of vaccination uses the concepts discussed above. It starts with a public or private entity previously authorized to administer vaccines, namely a vaccinator. It is registered on the blockchain to issue VCs for vaccinated people, i.e. the vaccinees. Since any entity on the blockchain can issue VCs, it is necessary to use VC issuing authorization schemes as proposed in [35] to ensure that only VCs issued by authorized entities are legitimately recognized. Figure 2 illustrates the three entities involved in our solution. The VC states the vaccinee's full name and date of birth, the laboratory that produced the administered vaccine, the applied dose (first, second, third, or more if applicable), and the date it was administered. Our VC format does not include country-specific identifiers, such as the SSN of USA or South Corea's Resident's Registration Number, for two reasons: (i) our solution is country independent; and (ii) there are countries with large numbers of unregistered citizens [9] . The vaccinee stores the VC in a digital wallet. This digital wallet can be a smartwatch, a smartphone app that uses a secure hardware element, or another Personal Assistant Device (PAD). Sending the VC from the vaccinator to the vaccinee takes place immediately after the act of vaccination through the most convenient and secure way for the user. For instance, if the PAD has Near Field Communication (NFC) and Bluetooth, NFC is favored because of the low range of the protocol. QR code scanning is also available. Regardless of the communication technology used to connect the digital wallet with the issuer, DIDs represent the entities involved and identify the relationship between these two entities. Note that the credential is held by the user in their wallet, causing no personal data to be stored on the blockchain, and therefore the system has no GDPR compliance obligations. Personal data are in possession of their owner, and their consent is required for sharing them. This arrangement makes it difficult for issuing organizations to track user data activities. In addition, in the hands of the owners, it is an excellent way to transport this data across borders without the need for substantial centralized data centers. When needed, the vaccinee can use her PAD's digital wallet to produce a VP, proving that she is vaccinated to a verifier. The user can customize the VP to have more or less personal data. In this way, the amount of exposed data can be adjusted to suit the context better. For instance, suppose the vaccinee does not wish to reveal the laboratory that produced her vaccine. In this case, she can create a VP using ZKP to prove that the value of the laboratory field on her VC is one of the values in a list of laboratories accepted by the verifier. Alternatively, the verifier might define the VP format. For instance, suppose that to access a social event such as a concert or play, the verifier (i.e. the entity responsible for the event) needs to ensure that participants have taken at least one dose of the COVID-19 vaccine. The verifier defines a VP request with a specific format in this case. They send it to the customers, who, through their digital wallets, accept or not to produce a VP following the requested format. An airline, however, may be obliged to demand complete vaccination of its passengers 14 days before the flight. In this case, the airline constructs a VP request for this context, and passengers agree or disagree to produce a VP when boarding the plane. Finally, the verifier validates the VP and chooses to trust it if they trust the vaccinator who issued the VC. Verifiers can confirm the authentication and authorization of vaccinators through the DID registered in the blockchain. The blockchain also stores the value of the cryptographic accumulator, which is used to create a revocation registry of VCs, which can be used if, for example, expired vaccine doses have been applied by mistake. The shift of focus regarding data ownership introduced by SSI allows us to propose a privacy-preserving digital vaccination pass. This section presents the tools and technologies adopted to realize our goal, an architectural overview of our system, and specific implementation details and results. We previously presented concepts, standards, and technologies, and now we discuss the tools employed in our solution and how they work. With regards to the blockchain, we use a blockchain specially created for identity management in the SSI model named Hyperledger Indy. It is an opensource project of the Hyperledger community that provides an ecosystem for SSI based on Blockchain [26] . The Indy distributed ledger consists of two subprojects, Indy-Plenum and Indy-Node. While the former is a general-purpose blockchain that implements the consensus algorithm, the latter is a specialization of the former, where identity-specific transactions are implemented [48] . It is important to note that Indy does not store personal data on the blockchain. The data saved on the ledger are DIDs of entities that issue VCs, their public keys, contact endpoints, a cryptographic accumulator value to serve as a revocation list, and VC schema metadata. Using blockchain here has different advantages. It is possible to create an international chain of trust through decentralization, with various governments issuing their lists of trusted DIDs. It also makes it challenging to have a point of failure that would stop the system. Also, a centralized personal and health data repository cannot be created because there is no personal data on the blockchain or elsewhere. To foster and facilitate the adoption of SSI, the Hyperledger community has also created Hyperledger Aries [28] . It is an abstraction layer above Indy, implementing methods to produce, transfer and store VCs and VPs independent of the blockchain solution below. Through this abstraction, developers can focus on business rules and not worry about implementation details. The abstraction layer that Aries introduces happens through a software agent called the Aries agent. The Aries agent interacts with other entities via DID Communication (DIDComm) or other communication protocols. DIDComm is a protocol that allows asynchronous communication of DIDs through encrypted messages [8] . Two parts make up the Aries agent, namely the agent and the controller. The former is responsible for creating, signing, and reading transactions on the blockchain, interacting with other agents, managing secure storage, creating and presenting VPs using ZKP, and exchanging messages with the controller. The latter implements business logic, indicating how the agent should respond to events. The agent and controller communicate via REST API. The agent sends HTTP webhook calls to the controller, which in turn analyzes and responds to the agent accordingly [27] . We have previously presented the three roles involved in the vaccine pass and their interactions. We now detail the architecture of our system and how these roles concretely interact using the technologies presented. Figure 3 shows the architecture of our system. First, it's important to note that the first time an organization instantiates our solution, some preparation is required. Specifically, an Aries agent must communicate with the Indy blockchain to: (i) record the DID of each health agency that will administer vaccines; (ii) define the format of the VCs that will be issued; and (iii) specify the revocation registration of the VCs. To ensure the chain of trust, DIDs issued to health agencies must be endorsed by the government or the responsible agency. The government then makes available a list of trusted DIDs, contributing to a global chain of trust. After carrying out the preparations described above, each health agency authorized to administer vaccines must control an Aries agent through software, mobile app, or website. The Aries agent can run on the same device that controls it or remotely from an organization's or third-party cloud data center. When a health agency representative vaccinates someone, an HTTP call via REST API is made to the health agency's agent requesting the issuance of a VC. The vaccinee's name and date of birth are sent in the request, along with information about the applied vaccine such as manufacturing laboratory, pathogen the vaccine fights, dose number, place, and date of application. The information sent to the agent can be customized. The Aries agent controlled by the health agency stores the private key of the entity it represents in a secure enclave and uses it to issue a VC for the received data. The newly created VC belongs to the vaccinee and must be forwarded to him. A peer-to-peer connection using DIDComm is made between the vaccinator's Aries agent and the vaccinee's digital wallet to transfer the VC. It is important to note that the blockchain only stores the value of the cryptographic accumulator, to prove the unrevoked status of the VC and nothing else. Finally, the vaccinee can create a VP to prove something about his VC as described earlier. The secure environment of the digital wallet creates the VP and sends it via DIDComm to the Aries agent of the verifier. The verifier's agent connects to Indy to check whether the VC that originated the VP is revoked or not. All data exchanges are private and peerto-peer, between issuer and holder and between holder and verifier. We employ the tools described above to implement a privacy-preserving solution to the problem of proving vaccination status, which is available online 2 . With regards to the blockchain, our prototype uses Sovrin, an implementation of Hyperledger Indy that acts as a network of interoperable SSI networks [50] . It is one of the first SSI offerings and perhaps the most studied [33, 40, 36] , allowing different SSI systems to share VC metadata and to interoperate, thus fostering the adoption of SSI. 2 URL omitted for peer-review We created two websites that adapt to desktops and mobile devices using HTML and JavaScript for the proof-of-concept implementation. The vaccinator operates one website to issue VCs, while the verifier uses the second website to define VP formats and present this request to vaccinees. We integrated the backend of each website with an Aries agent. We chose to use a proprietary Aries agent implementation called Verity because it is readily available and runs in the cloud. It is a product of Evernym, the company that created Indy and donated it to the Hyperledger Foundation [53] . Nonetheless, there are free and open-source Aries agents such as ACA-Py [25] . Once a vaccine is applied, the vaccine and vaccinee data are submitted to the vaccinator's website as shown in Figure 4 . In the background, the system requests its Aries agent to create a VC and transfer it to the vaccinee's digital wallet. The transference begins with the vaccinee reading a QR code that is returned by our application, as shown in Figure 5 . In our implementation, we used the digital wallet connect.me to perform the actions of a vaccinee [15] . There are a variety of free and paid digital wallets capable of receiving VCs and producing VPs [45] . Figure 6 (a) shows connect.me asking for user confirmation to either accept or deny connecting to the vaccinator after scanning the QR code. Although the wallet does not inform how this connection happens to the user, it is a peer-to-peer connection using DIDComm. Figure 6 (b) shows the wallet asking the vaccinee to accept or deny receiving their VC, which occurs immediately after confirming the incoming connection from the vaccinator. Upon acceptance, the vaccinee can use their digital wallet to produce VPs and prove their vaccination status. Establishing a biometric link between the wallet and the vaccinee is imperative in all transactions. For instance, when the issuer connects to the vaccinee to send a VC, the issuer must mandate that the wallet is secured with a biometric factor, such as fingerprint or facial recognition. Likewise, when the verifier checks a VP, the wallet that created the VP must be secured with a biometric factor, ensuring that the wallet holder is, in fact, the owner of the VC. In the connect.me wallet, blocking and unblocking by biometric factors is available. The interaction between vaccinee and verifier also begins through QR code, which we omit for lack of space. Figure 7 shows the verifier's interface, which defines a VP request format. The vaccinee will need to present the laboratory and pathogen their vaccinee fights, and the dose number must be greater than or equal to 1. Figure 8(a) shows how the digital wallet shows the VP request to the vaccinee. Finally, we show in Figure 8 (b) a VP request that the vaccinee cannot produce. In this case, the vaccinee is asked to prove that she has taken three or more vaccine doses for SARS-CoV-2. However, since no VC satisfies this requirement, the digital wallet cannot produce the VP for this request. Selective disclosure and ZKP allow the holder to produce specific VPs for each context. With ZKP, it is possible to issue a credential and create fully anonymous VPs. Such anonymity makes no sense in a context where the holder is already identified, e.g., at work or university, and VPs can be adapted to that. It is important to remark that all interactions of our system are contactless, helping with the necessary distancing measures to combat the pandemic. In early 2021, the Good Health Pass Collaborative (GHPC) was launched [21] with more than 25 companies and organizations from multiple sectors. In the second half of 2021, the GHPC initiative released its blueprint [23] with recommendations regarding credential and operational infrastructure. Design considerations and technical choices are based on five pillars: (i) individuals must be at the center of data exchange; (ii) the credential must allow the individual to provide evidence of their vaccination status; (iii) a decentralized approach is needed for global security and scalability; (iv) open standards are essential for interoperability and participation; and (v) pragmatic and realistic approach. The authors agree and adopt the recommendations of the GHPC for the elaboration of this work. In a similar effort, the World Health Organization (WHO) created the Digital Documentation of COVID-19 Certificates (DDCC) intending to establish standards for an architecture for digital vaccination certificates [55] . In the second half of 2021, the DDCC published a report [54] with the technical specifications and implementation guide for the COVID-19 certificates. The document assumes an existing Public Key Infrastructure (PKI) for each member state and proposes a digital counterpart to the paper certificate. It recognizes the importance of a global trust framework but does not detail how to implement a global health trust framework to store the public keys of member states. It is outside the report's scope to present technical features for the prospect of selec- tive disclosure. So, unlike our approach, DDCC is not concerned with implementing a global chain of trust or a certificate that cares about data anonymity. Similar to the WHO initiative, the European Union created the EU Digital COVID Certificate [13] . This initiative also uses PKI and certificates whose data come in plain text, without anonymity. The approach is feasible within the European Union with its own PKI. Still, acceptance in foreign countries is uncertain, depending on case-by-case interoperability agreements between nations. In addition to national and international institutions, several private companies have also created their versions of health passes, such as the BLOK Pass [4] and the Evernym Travel Pass [16] . Both initiatives follow SSI principles and keep users' data only on their smartphones. However, a digital vaccination pass must be open-source, enabling code transparency and making it possible for anyone to verify the system. Regarding academic efforts with similar objectives to this work, we present three research papers and point out their shortcomings. The authors of [10] acknowledge that proof of vaccination or robust antibody testing will be in high demand and question what format such a certificate should take. They claim that a digital certificate would make more sense as long as it is: (i) privacy-preserving; (ii) un-forgeable; (iii) easy to administer; (iv) easy to verify while preserving privacy; (v) scalable to millions of users; and (vi) cost-effective. To achieve these goals, the authors propose a mobile application that implements an architecture based on: (i) VC; (ii) the Solid [49] decentralized data platform, which stores (a) Digital wallet asks the vaccinee to share a VP. (b) Digital wallet is unable to create the requested VP. the VCs issued on the user's smartphone; and (iii) a private Ethereum blockchain that uses proof of authority [7] , where nodes are previously registered and authorized to confirm transactions. This solution, however, needs to register each user and each issued certificate in the blockchain, resulting in a high amount of transactions. Our solution does not require the blockchain for vaccinee registration and VC issuance, as it uses direct communication between the vaccinator and the vaccinee via DIDComm. In [24] the authors seek to solve the challenge of proposing an immunity pass using Blockchain, SSI, and re-encryption proxies [2] , which allow an encrypted message with the public key of to be decrypted with the private key of through a proxy that re-encrypts the ciphertext. The solution features smart contracts for the Ethereum Blockchain [12] . The patient's smart contract stores the hash of the vaccination and immunity records and travel history to perform contact tracing. However, as it is based on smart contracts in the Ethereum network, transactions have costs, although small, making it necessary for those involved to have financial resources available for execution. Lastly, the authors of [3] chose to demonstrate the use of blockchain to create immunity certificates for SARS-CoV-2 in a pre-vaccine period with a document that certifies that the individual has been infected and is immune. The authors claim that the use of "immunity licenses" could create restrictions on who can and cannot interact in social spaces, encouraging counterfeiting. Therefore, the paper proposes using a government-operated blockchain registry, although it does not specify which one. After an antibody test, the details are kept in a smart contract confidentially. Their proposal uses biometric authentication as a private key for the "account" of patients on the blockchain, and their data is encrypted with the biometric data of the tested patient. However, the work does not offer any empirical evidence of the functioning of the proposed system. SSI brings greater privacy, security, and ownership to user data than previous identity models. This work presents a system architecture that allows the issuance and verification of VCs based on SSI for proof of vaccination. Our implementation produces a VC with vaccination information that, through selective disclosure and ZKP, ensures proof of vaccination with a high level of privacy. While no single solution will be universally appropriate, researchers and practitioners can easily customize our system for different use cases by exchanging components such as digital wallets, blockchain, and software agents to their needs. The path to self-sovereign identity Improved proxy re-encryption schemes with applications to secure distributed storage Optimizing the implementation of covid-19 "immunity certificates" using blockchain Blok Bioscience ltd, 2022. A health passport with privacy by design Self-sovereign identity solutions The Health Insurance Portability and Accountability Act of 1996 (HIPAA) What is proof of authority consensus? staking your identity on the blockchain. Demand Solutions News Aries RFC 0434: Out-of-Band Protocol 1.1. Technical Report. Decentralized Identity Foundation The global identification challenge: Who are the 1 billion people without proof of identity Covid-19 antibody test/vaccination certification: There's an app for that A survey of user-centric identity management technologies Welcome to ethereum Regulation (eu) 2016/679 Introducing travel pass: The easiest, safest way to verify travel and health credentials Cryptographic accumulators: Definitions, constructions and applications In search of selfsovereign identity leveraging blockchain technology How to prove yourself: Practical solutions to identification and signature problems Definitions and properties of zeroknowledge proof systems Good Health Pass Collaborative, 2021a. Good health pass Good health pass: A safe path to global reopening Good Health Pass Collaborative, 2021c. Good health pass interoperability blueprint Blockchain-based solution for covid-19 digital medical passports and immunity certificates Aries cloud agent python code documentation Hyperledger indy. URL: https Becoming a indy/aries developer Hyperledger Foundation, 2020. Hyperledger aries Modification of diffie-hellman key exchange algorithm for zero knowledge proof IT Security and Privacy -A framework for identity management -Part 1: Terminology and concepts User centric identity management A survey on digital certificates approaches for the covid-19 pandemic Blockchain-Based Identity Management: A Survey From the Enterprise and Ecosystem Perspective The byzantine generals problem A-poa: Anonymous proof of authorization for decentralized identity management Blockchain Technology the Identity Management and Authentication Service Disruptor: A Survey Linux Foundation Public Health, 2021. Covid credentials initiative A digital signature based on a conventional encryption function Computationally sound proofs A survey on essential components of a self-sovereign identity Bitcoin: A peer-to-peer electronic cash system Excelsior pass and excelsior pass plus Decreto nº 60.488, de 27 de agosto de 2021 Coronavirus pandemic (covid-19) Ssi wallets Self-sovereign identity: A systematic map and review Efficient identification and signatures for smart cards Hyperledger indy public blockchain node with alexander shcherbakov Verifiable credentials data model 1 Decentralized identifiers (dids) The Inevitable Rise of Self-Sovereign Identity Rise-of-Self-Sovereign-Identity.pdf. Retrieved on Digital documentation of covid-19 certificates: vaccination status Smart vaccination certificate working group