Skip to content

Latest commit

 

History

History
87 lines (51 loc) · 4.16 KB

README.md

File metadata and controls

87 lines (51 loc) · 4.16 KB

Vax.Codes - Free QR Codes for Covid-19 Test and Vaccine Recipients

Website: https://vax.codes/

This website allows event organizers and businesses to instantly verify that someone has received a Covid-19 test or vaccination by scanning a QR code issued by a locally trusted organization.

The goal of this project is to make it easy for event organizers and businesses to safely hold events by incorporating testing and vaccination verification into their admittance procedures.

How it works

  1. An "issuer" creates a QR code for a tested or vaccinated person (can be emailed, printed, or texted)

  2. The person shows that QR code to the event organizer or business.

  3. The event organizer or business scans the code, using any QR scanner app or https://vax.codes/scan

  4. Scanning the QR code will open a URL with the person's name and verification they have received a Covid-19 test or vaccine.

  5. The event organizer makes sure the "issuer" is someone they trust and checks name on the verification against the person's ID.

Read more: https://vax.codes/how-it-works

Project status

See our github issues for the specific things we're working on.

Phase 1 - Demo Ready

  • QR code scanner
  • QR code issuing (in browser)
  • Issuer admin
  • Issuer explorer/searching
  • Group admin
  • Group explorer/searching
  • Informational pages (how-it-works, about-us, etc.)
  • Security overview page

Phase 2 - Internationalization

  • Multi-language support

Phase 3 - Technical Features

  • API docs
  • Embedding scanner feature
  • Embedding docs
  • Local QR code issuing docs
  • Self-hosting docs
  • Other extra features (scanning uploaded pdfs, etc.)

Limitations

The QR code only verifies someone with that name as having received a Covid-19 test or vaccine, so QR codes can be interchangeable between people with the same name.

The issuer may optionally include other information (such as birth date) when issuing the QR code, to increase uniqueness, but that is up to the issuer.

This limitation was deemed acceptable to ensure the protection of other confidential medical information.

Privacy

Vax.Codes does not have a record of people who have received a Covid-19 test or vaccine.

Our website simply keeps a list of registered issuers and groups and verifies a QR code was issued by one of those organizations.

Names are stored directly in the QR codes themselves, and QR codes are generated by issuers and given to test/vaccine recipients directly. So we never see them.

Also, the verification process happens entirely "client-side" (i.e. in your browser after you've loaded the URL), so our servers never see QR codes, even during verification.

Finally, this project is entirely open source, so security professionals can confirm that our website does exactly what is described and never gets any QR codes or personal information.

Security

In the QR code, names are cryptographically signed by the "issuer". So modifying the QR code to change the name will not work.

QR codes are "signed" by issuers that can confirm that a person has received a Covid-19 test or vaccine. Each organization has one or more "signing keys" that they can use to issue new QR codes.

Anyone can register to become an issuer, so event organizers and businesses that scan QR codes should have a list issuers they personally know and trust and not accept QR codes issued from anyone else.

Read more: https://vax.codes/docs/security

Free and Open Source

This project was created by volunteers at Open Austin, a brigade of Code for America. The website code and project documentation are all free and open source.

The contact information for registered issuers and groups are the property of the organizations themselves, so you must obtain written consent from issuers and group owners themselves to include them in a re-hosted version of our website.

This project follows Open Austin's Code of Conduct.

Original project idea issue: Project Idea #159