...
To enter a school site a volunteer must have a current COVID-19 vaccine certificate. (NZ COVID Pass). This is not optional under current (Traffic lightNov 2021) settings. This paper describes the changes required to include checking of NZ Covid Pass certificates using the Voluntarily platform.
| Info |
|---|
GOAL: The Voluntarily Platform should pre-validate volunteers to avoid inviting people who would not be permitted to attend and help to streamline any onsite validation processes. |
Each school will probably have its own onsite procedure for scanning and checking the pass including:
Volunteer shows QR code on mobile or paper copy - scanned by mobile app and compared to volunteer’s ID.
Staff manually view the NZ COVID Pass - trusting it and comparing name to the volunteer/visitor.
The design of the NZ COVID Pass means that full confidence that the holder has been fully vaccinated occurs only if the the pass:
contains a data record that validates against the NZ govt signature public keys.
has not expired or been invalidated due to key changes
shows a name and dob that correspond to independent photo ID held by the visitor. e.g. Drivers Licence.
Manually viewing the pass is apparently allowed but this obviates any security and would only make sense if the pass holder had been previously fully verified. e.g a returning visitor or staff member.
NZ Covid Pass specification: https://nzcp.covid19.health.nz/
Schools and other volunteering venues are required to verify that volunteers and attendees meet the requirements of the current COVID control system. This includes verifying that people have a valid NZ COVID Pass as well as managing PPE and physical distancing requirements.
A typical onsite process would be:
Volunteer shows the NZ Covid Pass QR code on digital or paper copy . This is scanned with a mobile or web application on entry and the name and date of birth are compared to a separate identity document provided by the visitor e..g Drivers Licence, Passport etc.
Sights also have the choice of validating only a random subset of visitors and manually viewing the NZ COVID Pass - trusting it and comparing name to the volunteer/visitor.
The design of the NZ COVID Pass means that full confidence that the holder has been fully vaccinated occurs only if the the pass:
contains a data record that validates against the NZ govt signature public keys.
has not expired or been invalidated due to key changes
shows a name and dob that correspond to independent photo ID held by the visitor. e.g. Drivers Licence.
To avoid volunteers turning up at events without a pass voluntarily should pre-validate the volunteers status using similar mechanisms to the identity and police check verification.
Existing identity Verification.
...
using script pdf-parser.py I decoded the elements in an example covid pass. The metadata in the record does not contain any useful information. The contents contain text strings - with associated font, and one image obj185 that contains the QR Code as a bitmap.
| Code Block |
|---|
<</Type
/XObject/Subtype
/Image/BitsPerComponent 8
/Width 356
/Height 356
/ColorSpace /DeviceRGB
/Filter /FlateDecode
/Length 10107
|
an RGB Byte array.
Cut and Paste from screen.
...
To actively fake a pass requires the creation of a QR code that passes the validation checks and returns a persons name and dob. As it is very difficult to generate the signed pass it is most likely that the person hopes that the name is sufficient or they are able to get an independent ID in the name of the person vaccinated. As we independently check identity this would not work on voluntarilyfor Voluntarily.
Exemptions
...
Privacy
There are strict rules about storing personal health information. But the spec implies we can save the registration that the person has been checked and when we might want to ask again.
...
Exemptions
In the case of government approved exemptions we don’t have to take any decisions. If a person gains an exemption they will be issued a valid pass. The spec states
...
The next step is after the hand off to cloudcheck live and is at url https://voluntarily.cloudcheck.co.nz/
...
On completion the cloudcheck site returns the updated verification. e.g Name Confirmed.
...
The additional record would be a mix of our verification object. This is only written if both the pass decodes correctly and the data from the QR codematches the person’s name so we don’t store anything other than the pass validated and the expiry date.
| Code Block |
|---|
{
status: 'verified',
_id: '61a58a42dce92000125ddb15',
name: 'nz-covid-pass',
value"nbf": {
1635883530,
"givenNameexp": "Jack"1951416330,
"familyName": "Sparrow"updatedAt: '2021-11-30T02:19:46.289Z',
"dob"createdAt: "1960'2021-04-16"
},
"iss": "did:web:nzcp.covid19.health.nz",11-30T02:19:46.289Z'
"nbf": 1635883530,
"exp": 1951416330,
"jti": "urn:uuid:60a4f54d-4e30-4332-be33-ad78b1eafa4b",
updatedAt: '2021-11-30T02:19:46.289Z',
createdAt: '2021-11-30T02:19:46.289Z'
}, |
Test verified status
The file api/personalVerification/verified.js provides a set of isXxxxVerified() functions that allow testing of the user verification record - this is simple to extend to include isNzCovidPassVerified().
Display Verification status
The existing method of showing verified is to show a single green shield icon with a numeric value - 0,1,2,3 etc showing the level where:
| Code Block |
|---|
const VerificationLevel = {
NOT_OK: -1, // vet completed - not ok.
// NONE: 0,
EMAIL: 1, // email verified
NAME: 2, // name verified (includes dob)
ADDRESS: 3, // address verified
VET_STARTED: 4, // police vet started
VETTED: 5 // police vet completed ok
} |
The NZ COVID pass status is independent of this list so cannot be combined into a single level unless we use bit patterns.
Currently the PersonVerificationBadge scans the list of verifications and just shows the highest level.
| Code Block |
|---|
export const PersonVerificationBadge = ({ person }) => {
if (!person) return null
const levels = getVerificationLevels(person)
const score = Math.max(...levels)
if (score <= 0) { return null }
return (
<Popover content={<PersonVerification levels={levels} />} title={popoverTitle} trigger='hover'>
<VerificationBadge>
<Icon component={ShieldSvg} score={score} />
</VerificationBadge>
</Popover>
)
} |
We can extend this to show a second icon beside the shield. using the isNzCovidPassVerified() test directly and a suitable icon
...
Apply status to volunteering
Implementation
Work required
...
UI Design - clarify where we inject the COVID pass
...
Text for dialogs.
...
Start validation entry page - see verification/safety for model.
...
Add isNZCovidPassVerified function
...
}, |
Test verified status
The file api/personalVerification/verified.js provides a set of isXxxxVerified() functions that allow testing of the user verification record - this is simple to extend to include isNzCovidPassVerified().
This test checks for a validation record and that it has not expired.
Display Verification status
The existing method of showing verified is to show a single green shield icon with a numeric value - 0,1,2,3 etc showing the level where:
| Code Block |
|---|
const VerificationLevel = {
NOT_OK: -1, // vet completed - not ok.
// NONE: 0,
EMAIL: 1, // email verified
NAME: 2, // name verified (includes dob)
ADDRESS: 3, // address verified
VET_STARTED: 4, // police vet started
VETTED: 5 // police vet completed ok
} |
Currently the PersonVerificationBadge scans the list of verifications and just shows the highest level. However as COVID pass is independent the badge should be made more direct - showing each status.
| Code Block |
|---|
export const PersonVerificationBadge = ({ person }) => {
if (!person) return null
const levels = getVerificationLevels(person)
const score = Math.max(...levels)
if (score <= 0) { return null }
return (
<Popover content={<PersonVerification levels={levels} />} title={popoverTitle} trigger='hover'>
<VerificationBadge>
<Icon component={ShieldSvg} score={score} />
</VerificationBadge>
</Popover>
)
} |
We can extend this to show a second icon beside the shield. using the isNzCovidPassVerified() test directly and a suitable icon
...
Apply status to volunteering
We need to show the status of each person volunteering to the requestor of each opportunity. This is visible in the Manage tab of the opportunity where the volunteers are listed and can be accepted.
Here we can also show the verified status badges. We might also mark the row or grey out the accept button. Usually people should not get this far but that depends on the op having a suitable requirement marked.
...
How does an opportunity indicate its verification requirements?
The Op or template Act record must flag the required verification level. This requires a selection box (or set of check boxes on the form )
e.g
To participate in this event volunteers require which of these checks?
- 📧 Email verified
- 📛 Name & age verified
- 😷 NZ COVID Pass verified
- 👮♀️ Police Vet.
The result is stored in the Opportunity record as an array of verification requirements.
we might assume that everyone has to be email verified to be a volunteer so we can leave off the requirements list.
How does a volunteer know the verification requirements?
The set of verification requirements should be shown in the summary and detail of an opportunity.
In the summary we can show this in the table following the date as an icon list. If the icon is hovered it should say [ NZ COVID Pass required ]. The icons might follow the location as they appear to be specific to the venue.
...
The offer to help button is the common entry point for a volunteer to indicate their interest in an opportunity. Clicking the button pops up a short dialog
...
Rather than disable the offer to help button we should at this point compare the volunteers validation with those required for the task. If they match or exceed then we should the Thanks for helping out dialog above. If they do not match we should show a similar dialog detailing what is required.
Thanks for Volunteering X
...
For this event you need to be:
email verified
name verified
NZ COVID Pass verified - (Get Covid pass Button)
Police Checked. (Start Police Check Button)
Implementation
Work required
UI Design - clarify where we inject the COVID pass
design standard set of icons for the verification states.
confirm Text for dialogs.
Start validation entry page, purpose & instructions - see verification/safety for model. must do identity check first.
Upload NZ Covid Pass PDF to server.
Verify pass
Code to extract image from PDF
code to convert QR code byte array to decodable byte string.
obtain & Cache updated valid public keys from the MOH source site.
decode QR Code & validate
confirm names match with identity verification.
write record to person verification - store errors somewhere.
remove uploaded file.
Add
isNZCovidPassVerifiedfunction - include expiry check.Add Icon to profile badges.
Hover should show expiry date
change representation if expired or close to expiry
Add verification badges to Manage opportunity volunteer list.
Add verify requirements check list to Opp and Activity Forms
store verify requirements in Op record & schema
Show verify requirements on Op (and Act) summaries.
function to match verify requirements for volunteer & op.
RegisterInterestItem dialog to show match between requirements and actual with buttons to complete verification. - Only enable COVID button if identity available.
Perhaps add to onboarding flow ?