...
The Voluntarily Platform should aim to pre-validate volunteers to avoid inviting people who would not be permitted to attend and help to streamline any onsite processes.
...
In the case of schools events an NZ Covid Pass would only be required for volunteers attending in person and not for remote/video contributions hence the status is not generic to all school events - only those that are using in person volunteers.
The verified information is included in the person record
| Code Block | ||
|---|---|---|
| ||
verified: [
{
status: 'verified',
_id: '5f4439fd37643200114b4704',
name: 'email',
value: 'andrew@voluntarily.nz',
createdAt: '2020-08-24T22:06:53.345Z',
updatedAt: '2020-08-24T22:06:53.345Z'
}
], |
NZ COVID PASS - Getting a pass
...
People can also request a copy of their pass on the phone 0800 222 478 and receive a physical (paper) copy to be sent in the mail. Pharmacies that are providing COVID-19 vaccinations can also help you request and print a My Vaccine Pass.
...
We can use the existing validation records to hold the vaccination status for a volunteer. To obtain the status we must view in some form the NZ Covid Pass. Currently there is no centralised API available to check a status so the only option is to somehow read the pass via the Voluntarily website.
This process conforms to the Large Scale out of band verification workflow identified in the covid pass spec https://github.com/minhealthnz/nzcovidpass-spec
...
Reading via the camera
To read by the camera the website would need to run client side javascript that can
...
We should be able to find the image in the PDF ( or it is an entire image)
There’s a chance that the QR content is also placed in the PDF metadata. - check using a reader. I looked, this is not the case.
using script pdf-parser.py I decoded the elements in an example covid pass. The metadata in the record does not contain any useful information. The contents contain text strings - with associated font, and one image obj185 that contains the QR Code as a bitmap.
| Code Block |
|---|
<</Type
/XObject/Subtype
/Image/BitsPerComponent 8
/Width 356
/Height 356
/ColorSpace /DeviceRGB
/Filter /FlateDecode
/Length 10107
|
Cut and Paste from screen.
Similar to reading the Pdf PDF but using screen tools to capture the qr code to the paste buffer and paste onto the website. - we recieve receive just an image stream. but complicated for the user.
Bypassing Security
...
.
Manual Validation and update of the Volunteer status
Following the existing model for identity validation we may also provide an Admin function that allows a volunteer to gain the required status value following a manual (mobile app) check of the pass.
This might apply during a volunteer onboarding session where many people are signed up. In a single step the admin may view identity documents, validate the covid pass and update the person’s status using admin privileges. However to provide this function would add an API entry point to set the verification status that is not usually required.
Security
Most people choosing to volunteer will have the required vaccination status and no interest in bypassing the security model. The negative case is for an unvaccinated person (or not fully vaccinated) who still wants to volunteer and is prepared to violate the trust of the school, or has been generally using a fake covid pass that they believe is sufficient.
Intermediate cases:
person has a valid pass that has expired - the person must be turned away or a local decision made.
the person is vaccinated but does not have a copy of their pass. or only has a paper copy. - the person can be validated at the event and given temporary access.
QR code appears ok but cannot be read accurately
To actively fake a pass requires the creation of a QR code that passes the validation checks and returns a persons name and dob. As it is very difficult to generate the signed pass it is most likely that the person hopes that the name is sufficient or they are able to get an independent ID in the name of the person vaccinated. As we independently check identity this would not work on voluntarily.
Exemptions
In the case of government approved exemptions we don’t have to take any decisions. If a person gains an exemption they will be issued a valid pass. The spec states
The Pass provides a verifiable proof that the person named on the pass is considered vaccinated for COVID-19, until the pass expires.
A person is eligible for a My Vaccine Pass when they meet certain health requirements for COVID-19 vaccination. These requirements are evaluated at the time the person requests the pass. If the person meets the requirements, the pass will be issued and valid for a set period of time.
https://github.com/minhealthnz/nzcovidpass-spec
Hence the pass is sufficient for meeting the conditions of the traffic light system regardless of the underlying health or status.
You can request a My Vaccine Pass if you are aged 12 or over and:
have had 2 doses of the Pfizer or AstraZeneca COVID-19 vaccine in New Zealand, or
been vaccinated overseas with an approved vaccine, or
have a medical exemption.
User Interface
The primary entry point for all forms of validation is the personal profile page
...
Here we can expand the verify identity button or add a NZ Covid Pass specific button.
The next page is the acceptance of terms and conditions and code of conduct
...
We have the option here of adding a COVID or General health and safety principle.
The next step is preparation for hand over to the identify verification.
...
We can either add the COVID pass on the end of this process or more likely offer both entry points so that people can return later.
...
This page ideally should show whether the person is already verified.
The next step is after the hand off to cloudcheck live and is at url https://voluntarily.cloudcheck.co.nz/
...
On completion the cloudcheck site returns the updated verification. e.g Name Confirmed.
...
The person record now contains a longer verified object.
| Code Block |
|---|
verified: [
{
status: 'verified',
_id: '61a58a42dce92000125ddb14',
name: 'name',
value: {
given: 'ANDREW',
middle: 'VINCENT',
family: 'WATKINS'
},
verificationReference: '0e07f79e-930d-4755-bc69-ed95032510bc',
updatedAt: '2021-11-30T02:19:46.289Z',
createdAt: '2021-11-30T02:19:46.289Z'
},
{
status: 'verified',
_id: '61a58a42dce92000125ddb15',
name: 'dob',
value: '1962-07-19',
verificationReference: '0e07f79e-930d-4755-bc69-ed95032510bc',
updatedAt: '2021-11-30T02:19:46.289Z',
createdAt: '2021-11-30T02:19:46.289Z'
},
{
status: 'not_verified',
_id: '61a58a42dce92000125ddb16',
name: 'address',
value: {
address: {
city: '',
street: '',
postcode: '',
suburb: ''
},
dateofbirth: '1962-07-19',
dateofbirthChanged: false,
name: {
given: 'ANDREW',
middle: 'VINCENT',
family: 'WATKINS'
},
nameChanged: false
},
verificationReference: '0e07f79e-930d-4755-bc69-ed95032510bc',
updatedAt: '2021-11-30T02:19:46.289Z',
createdAt: '2021-11-30T02:19:46.289Z'
},
{
status: 'verified',
_id: '61a58a4296336600113bf708',
name: 'email',
value: 'andrew@voluntarily.nz',
createdAt: '2021-11-30T02:19:46.716Z',
updatedAt: '2021-11-30T02:19:46.716Z'
}
],
dob: '2021-11-30T02:19:46.000Z', |
| Note |
|---|
I think we have a bug when we set the dob in the main person record. It looks like we have picked up the verification date rather than the date of birth. |
The additional record would be a mix of our verification object and the data from the QR code.
| Code Block |
|---|
{
status: 'verified',
_id: '61a58a42dce92000125ddb15',
name: 'nz-covid-pass',
value: {
"givenName": "Jack",
"familyName": "Sparrow",
"dob": "1960-04-16"
},
"iss": "did:web:nzcp.covid19.health.nz",
"nbf": 1635883530,
"exp": 1951416330,
"jti": "urn:uuid:60a4f54d-4e30-4332-be33-ad78b1eafa4b",
updatedAt: '2021-11-30T02:19:46.289Z',
createdAt: '2021-11-30T02:19:46.289Z'
}, |
Test verified status
The file api/personalVerification/verified.js provides a set of isXxxxVerified() functions that allow testing of the user verification record - this is simple to extend to include isNzCovidPassVerified().
Display Verification status
The existing method of showing verified is to show a single green shield icon with a numeric value - 0,1,2,3 etc showing the level where:
| Code Block |
|---|
const VerificationLevel = {
NOT_OK: -1, // vet completed - not ok.
// NONE: 0,
EMAIL: 1, // email verified
NAME: 2, // name verified (includes dob)
ADDRESS: 3, // address verified
VET_STARTED: 4, // police vet started
VETTED: 5 // police vet completed ok
} |
The NZ COVID pass status is independent of this list so cannot be combined into a single level unless we use bit patterns.
Currently the PersonVerificationBadge scans the list of verifications and just shows the highest level.
| Code Block |
|---|
export const PersonVerificationBadge = ({ person }) => {
if (!person) return null
const levels = getVerificationLevels(person)
const score = Math.max(...levels)
if (score <= 0) { return null }
return (
<Popover content={<PersonVerification levels={levels} />} title={popoverTitle} trigger='hover'>
<VerificationBadge>
<Icon component={ShieldSvg} score={score} />
</VerificationBadge>
</Popover>
)
} |
We can extend this to show a second icon beside the shield. using the isNzCovidPassVerified() test directly and a suitable icon
...
Apply status to volunteering
Implementation
Work required
UI Design - clarify where we inject the COVID pass
Text for dialogs.
Start validation entry page - see verification/safety for model.
Add
isNZCovidPassVerifiedfunctionAdd Icon to profile badges.