Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

https://voluntarily.atlassian.net/browse/VP-1894

To enter a school site a volunteer must have a current COVID-19 vaccine certificate. (NZ COVID Pass). This is not optional under current (Traffic light) settings.

The Voluntarily Platform should pre-validate volunteers to avoid inviting people who would not be permitted to attend and help to streamline any onsite processes.

Each school will probably have its own onsite procedure for scanning and checking the pass including:

  • Volunteer shows QR code on mobile or paper copy - scanned by mobile app and compared to volunteer’s ID.

  • Staff manually view the NZ COVID Pass - trusting it and comparing name to the volunteer/visitor.

The design of the NZ COVID Pass means that full confidence that the holder has been fully vaccinated occurs only if the the pass:

  • contains a data record that validates against the NZ govt signature public keys.

  • has not expired or been invalidated due to key changes

  • shows a name and dob that correspond to independent photo ID held by the visitor. e.g. Drivers Licence.

Manually viewing the pass is apparently allowed but this obviates any security and would only make sense if the pass holder had been previously fully verified. e.g a returning visitor or staff member.

Existing identity Verification.

Voluntarily.nz already provides mechanisms to validate the identity and police check status of potential volunteers. These are carried out with the support of a third party software service (CloudCheck) The identify verification process

Identity status is shown using icons on the website associated with a person’s username. A shield is shown with a popup hover box indicating the status e.g. email-verified. identity-verified etc.

When a opportunity has a specific requirement e.g. verified status, vaccinated status then volunteers are not given the option of volunteering on the site unless they have matching or better status. In addition the status of offering volunteers should be shown to the requestor/asker to allow them to confirm such status even if it is not set as mandatory.

In the case of schools events an NZ Covid Pass would only be required for volunteers attending in person and not for remote/video contributions hence the status is not generic to all school events - only those that are using in person volunteers.

The verified information is included in the person record

 verified: [
  {
    status: 'verified',
    _id: '5f4439fd37643200114b4704',
    name: 'email',
    value: 'andrew@voluntarily.nz',
    createdAt: '2020-08-24T22:06:53.345Z',
    updatedAt: '2020-08-24T22:06:53.345Z'
  }
],

NZ COVID PASS - Getting a pass

On completing vaccination a person can visit https://mycovidrecord.health.nz/ Here they have to register and login to gain access to their vaccination status.

The registration process requires signing up for a MyHealth account with the Ministry of Health

This account requires a validated identity. which is achieved either by providing identity documents (Passport, Drivers License) during the sign up process or by already having a validated RealMe Account

This online verification may be considered a high barrier to entry - its a complex process that requires showing documents to a mobile phone or laptop camera, or visiting a Post Office with documents. Many people will choose not to do this. However, as the covid pass is required to gain access to many events and venues we might reasonably expect our volunteers to have already taken this step. They will recognise the same process when we validate their identity.

Once signed in the person can view their vaccination status and request a pass. The pass is not downloaded - it is sent by email as a PDF attachment.

People can also request a copy of their pass on the phone  0800 222 478 and receive a physical (paper) copy to be sent in the mail. Pharmacies that are providing COVID-19 vaccinations can also help you request and print a My Vaccine Pass. 

The pass looks like this. The QR code decodes to a JSON object containing name/dob, expiry and some metadata.

Pre Validating the NZ COVID PASS

We can use the existing validation records to hold the vaccination status for a volunteer. To obtain the status we must view in some form the NZ Covid Pass. Currently there is no centralised API available to check a status so the only option is to somehow read the pass via the Voluntarily website.

This process conforms to the Large Scale out of band verification workflow identified in the covid pass spec https://github.com/minhealthnz/nzcovidpass-spec

Reading via the camera

To read by the camera the website would need to run client side javascript that can

  • gain permission to access the camera

  • start the camera

  • prompt the person to position the QR code on the screen

  • capture the image and send for validation.

The Vaxx.nz group (walt, ilya etc) have a prototype web based validator. However there are problems.

  • iOS wallet display of the QR code is too small to read

  • error/fail rate is high.

Reading the PDF directly

To read the PDF the person can drag/drop or attach their pass to their profile. This can be uploaded in the same fashion as their avatar photo. On the server side we can open the PDF and try to identify the QR Code.

  • We should be able to find the image in the PDF ( or it is an entire image)

  • There’s a chance that the QR content is also placed in the PDF metadata. - I looked, this is not the case.

using script pdf-parser.py I decoded the elements in an example covid pass. The metadata in the record does not contain any useful information. The contents contain text strings - with associated font, and one image obj185 that contains the QR Code as an RGB Byte array.

Cut and Paste from screen.

Similar to reading the PDF but using screen tools to capture the qr code to the paste buffer and paste onto the website. - we receive just an image stream. but complicated for the user.

Manual Validation and update of the Volunteer status

Following the existing model for identity validation we may also provide an Admin function that allows a volunteer to gain the required status value following a manual (mobile app) check of the pass.

This might apply during a volunteer onboarding session where many people are signed up. In a single step the admin may view identity documents, validate the covid pass and update the person’s status using admin privileges. However to provide this function would add an API entry point to set the verification status that is not usually required.

Security

Most people choosing to volunteer will have the required vaccination status and no interest in bypassing the security model. The negative case is for an unvaccinated person (or not fully vaccinated) who still wants to volunteer and is prepared to violate the trust of the school, or has been generally using a fake covid pass that they believe is sufficient.

Intermediate cases:

  • person has a valid pass that has expired - the person must be turned away or a local decision made.

  • the person is vaccinated but does not have a copy of their pass. or only has a paper copy. - the person can be validated at the event and given temporary access.

  • QR code appears ok but cannot be read accurately

To actively fake a pass requires the creation of a QR code that passes the validation checks and returns a persons name and dob. As it is very difficult to generate the signed pass it is most likely that the person hopes that the name is sufficient or they are able to get an independent ID in the name of the person vaccinated. As we independently check identity this would not work on voluntarily.

Exemptions

In the case of government approved exemptions we don’t have to take any decisions. If a person gains an exemption they will be issued a valid pass. The spec states

The Pass provides a verifiable proof that the person named on the pass is considered vaccinated for COVID-19, until the pass expires.
A person is eligible for a My Vaccine Pass when they meet certain health requirements for COVID-19 vaccination. These requirements are evaluated at the time the person requests the pass. If the person meets the requirements, the pass will be issued and valid for a set period of time.

https://github.com/minhealthnz/nzcovidpass-spec

Hence the pass is sufficient for meeting the conditions of the traffic light system regardless of the underlying health or status.

You can request a My Vaccine Pass if you are aged 12 or over and:

  • have had 2 doses of the Pfizer or AstraZeneca COVID-19 vaccine in New Zealand, or

  • been vaccinated overseas with an approved vaccine, or

  • have a medical exemption.

User Interface

The primary entry point for all forms of validation is the personal profile page

Here we can expand the verify identity button or add a NZ Covid Pass specific button.

The next page is the acceptance of terms and conditions and code of conduct

We have the option here of adding a COVID or General health and safety principle.

The next step is preparation for hand over to the identify verification.

We can either add the COVID pass on the end of this process or more likely offer both entry points so that people can return later.

This page ideally should show whether the person is already verified.

The next step is after the hand off to cloudcheck live and is at url https://voluntarily.cloudcheck.co.nz/

On completion the cloudcheck site returns the updated verification. e.g Name Confirmed.

The person record now contains a longer verified object.

verified: [
        {
          status: 'verified',
          _id: '61a58a42dce92000125ddb14',
          name: 'name',
          value: {
            given: 'ANDREW',
            middle: 'VINCENT',
            family: 'WATKINS'
          },
          verificationReference: '0e07f79e-930d-4755-bc69-ed95032510bc',
          updatedAt: '2021-11-30T02:19:46.289Z',
          createdAt: '2021-11-30T02:19:46.289Z'
        },
        {
          status: 'verified',
          _id: '61a58a42dce92000125ddb15',
          name: 'dob',
          value: '1962-07-19',
          verificationReference: '0e07f79e-930d-4755-bc69-ed95032510bc',
          updatedAt: '2021-11-30T02:19:46.289Z',
          createdAt: '2021-11-30T02:19:46.289Z'
        },
        {
          status: 'not_verified',
          _id: '61a58a42dce92000125ddb16',
          name: 'address',
          value: {
            address: {
              city: '',
              street: '',
              postcode: '',
              suburb: ''
            },
            dateofbirth: '1962-07-19',
            dateofbirthChanged: false,
            name: {
              given: 'ANDREW',
              middle: 'VINCENT',
              family: 'WATKINS'
            },
            nameChanged: false
          },
          verificationReference: '0e07f79e-930d-4755-bc69-ed95032510bc',
          updatedAt: '2021-11-30T02:19:46.289Z',
          createdAt: '2021-11-30T02:19:46.289Z'
        },
        {
          status: 'verified',
          _id: '61a58a4296336600113bf708',
          name: 'email',
          value: 'andrew@voluntarily.nz',
          createdAt: '2021-11-30T02:19:46.716Z',
          updatedAt: '2021-11-30T02:19:46.716Z'
        }
      ],
      dob: '2021-11-30T02:19:46.000Z',

I think we have a bug when we set the dob in the main person record. It looks like we have picked up the verification date rather than the date of birth.

The additional record would be a mix of our verification object and the data from the QR code.

        {
          status: 'verified',
          _id: '61a58a42dce92000125ddb15',
          name: 'nz-covid-pass',
          value:  {
            "givenName": "Jack",
            "familyName": "Sparrow",
            "dob": "1960-04-16"
          },
          "iss": "did:web:nzcp.covid19.health.nz",
          "nbf": 1635883530,
          "exp": 1951416330,
          "jti": "urn:uuid:60a4f54d-4e30-4332-be33-ad78b1eafa4b",
          updatedAt: '2021-11-30T02:19:46.289Z',
          createdAt: '2021-11-30T02:19:46.289Z'
        },

Test verified status

The file api/personalVerification/verified.js provides a set of isXxxxVerified() functions that allow testing of the user verification record - this is simple to extend to include isNzCovidPassVerified().

Display Verification status

The existing method of showing verified is to show a single green shield icon with a numeric value - 0,1,2,3 etc showing the level where:

const VerificationLevel = {
  NOT_OK: -1, // vet completed - not ok.
  // NONE: 0,
  EMAIL: 1, // email verified
  NAME: 2, // name verified (includes dob)
  ADDRESS: 3, // address verified
  VET_STARTED: 4, // police vet started
  VETTED: 5 // police vet completed ok
}

The NZ COVID pass status is independent of this list so cannot be combined into a single level unless we use bit patterns.

Currently the PersonVerificationBadge scans the list of verifications and just shows the highest level.

export const PersonVerificationBadge = ({ person }) => {
  if (!person) return null
  const levels = getVerificationLevels(person)
  const score = Math.max(...levels)
  if (score <= 0) { return null }

  return (
    <Popover content={<PersonVerification levels={levels} />} title={popoverTitle} trigger='hover'>
      <VerificationBadge>
        <Icon component={ShieldSvg} score={score} />
      </VerificationBadge>
    </Popover>
  )
}

We can extend this to show a second icon beside the shield. using the isNzCovidPassVerified() test directly and a suitable icon


Apply status to volunteering

We need to show the status of each person volunteering to the requestor of each opportunity. This is visible in the Manage tab of the opportunity where the volunteers are listed and can be accepted.

Here we can also show the verified status badges. We might also mark the row or grey out the accept button. Usually people should not get this far but that depends on the op having a suitable requirement marked.

How does an opportunity indicate its verification requirements?

The Op or template Act record must flag the required verification level. This requires a selection box (or set of check boxes on the form )

The result is stored in the Opportunity record. ( VerificationRequirements ) This should be an array of validation settings (not a single level) so that we can match all the requirements with the volunteer. If all reqs match we can enable the volunteer button - if some match we should list what the volunteer needs to do to be eligible and where to start - Verify link.

Implementation

Work required

  • UI Design - clarify where we inject the COVID pass

  • Text for dialogs.

  • Start validation entry page - see verification/safety for model.

  • Add isNZCovidPassVerified function

  • Add Icon to profile badges.

    • Hover should expiry date

    • change representation if expired or close to expiry

  • Code to extract image from PDF

  • code to convert QR code byte array to decodable byte string.

  • obtain & Cache updated valid public keys from the MOH source site.

  • decode QR Code & validate

  • update Person record or set record to show an error.

  • Show verification status on Manage opportunity volunteer list.

  • Add verify requirements check list to Opp and Activity

  • check requirements with volunteer and Enable volunteer button if matched - otherwise show what needs to be done.

  • No labels