Hacker News new | past | comments | ask | show | jobs | submit login

Not just Serbia : EU countries have implemented an interoperable vaccination/testing certificate system that relies on digital signatures.

https://ec.europa.eu/info/live-work-travel-eu/coronavirus-re...




But Serbia's system seems flawed, the EU system has all the data encoded in the QR-code, including name, the date the test was performed, the sort of test (PCR or antigen), and the result, plus a digital signature to prevent changing of those fields. And the QR code is given to the person and is static. The app that checks it checks that the document hasn't been modified by verifying the digital signature. What Serbia seems to have done is to have a PDF with the timestamp, and QR code which goes to a website showing a database entry with no timestamp (except for the URL which apparently does contain a Unix timestamp, but that's not authoritive nor easily parsable by huamns).

So if I got a negative test in July and a positive one yesterday, and I want to fly somewhere, it seems I can just copy the QR code from the test in July and paste it into a Word document that says "The test was performed on January 10, 2022, and the result is available through this link: [QR code with the link to the results from July 2021]". And it seems this document doctoring (with a document with a result that allows unvaxed entry) is what Team Djokovic has done.


Worth pointing out that this is Serbia's internal system, but you can also request EU QR from the same website.

Serbia's one of 33 non-EU countries whose centralised system is up to EU standard, and as such you can get both the Serbian QR code and the EU QR code.

As such, assuming no shenanigans (even though things point otherwise), he should have no problem converting it to the EU QR code and presenting that.


Ohh, so Israel is one of these 33. Good to know!


> But Serbia's system seems flawed, the EU system has all the data encoded in the QR-code, including name, the date the test was performed, the sort of test (PCR or antigen), and the result, plus a digital signature to prevent changing of those fields

(I'm in the EU): I can get a free "gargle" PCR test - either via walk-up test centre or via collect/test-at-home/drop-sample-in-collection box any time I want here, and in both cases there is zero verification that the sample I provide for the test actually came from my mouth.

If you have a friend who is Covid19 positive, it would be trivial to get yourself a positive result.


The Netherlands has a separate local and international version as well with less information in the local version because they didn’t want everyone and his dog implementing different rules.

But for the international version you can’t just decide to give less information because then it won’t accepted.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: