I was thinking I’d breakdown a little bit of the Faroese KoronaPass since it seems like its been a bit of a black box. After we’d implemented the tech stack for the Covid-19 Testing infrastructure and tracking along with the vaccination delivery and notifications. I got called in to a meeting, informing me that EU and its member states had been for the past few months working on an APP and an infrastructure, Denmark, our closest ally explained they would be rolling out their implementation within 4 weeks, and explained a bit about how the app worked and how certificate infrastructure worked, and how they have been working closely with multiple companies and organizations to develop this over the past MONTHS with over 50 million as a base costs.. let that sink in.
KoronaPass enables people from the Faroese Islands to prove their medical state concerning Covid-19
After the meeting they turned towards me and asked, if this was something I could setup, and give Faroe Islands its own EU covid passport within a month so we could align with the danish release..
First, they have had teams over multiple companies and government organizations working on this for months, so if I have to come up with a solution within a month, damn, where to start??
As the app only needs to deliver a QR code with a authentication front-end to the user, and the rest is back-end server work. the objective seemed reasonable within the given time frame. That being said, there was a seep learning curve, since it was all rushed. The app platform I chose was a PWA utilizing C# and Blazor (WASM)… why? well .. if the app had to be implemented natively for both iOS and Android it would add quite an overhead of work. so … I needed cross compatibility, also at the start there was talk, that we might allow people to access this service from their home PC. which is browser based, so at some point it had to be done for the web anyway, so lets bundle this up in to one single front-end.
I quickly accepted and said yes, I can do it… I should not have jumped in and accepted so fast, since it was still a big project for such a short time period, and decided to call in some people for assistance & because we also needed a CSCA PKI setup, and that is no small feat to setup, but luckily we had a government organization that had a PKI with a root cert that could issue us a CSCA, (Country Signing Certificate Authority) .. with that issued and provided, we could start generating Vaccination and Test Document Signing Certificates (DSC) .. with these certificates we could take John Smith and sign a certificate and generate an encrypted QR code which can be scanned by any EU member state and will validate against our DSC, stating that the Faroese Authority verifies that this certificate is valid. This document has to be kept secure, and with the 3 people who helped on the project I decided only to entrust the certificate to myself. Since if a third party gets their hands on the certificate it would allow them to generate fake certificates for people to cross around EU and third member countries and we would have another potential surge of covid.. (but that’s worst case scenario) which has happened, we’ve seen some counties (e.g Austria) getting their DSC leaked and some fake passes gone in to circulation such as “Adolf Hitler”, “Joe Mama” among others.
DSC public keys are shared with all member states for signature verification
.. anyway, with the DSC’s ready we could start hooking up to the national hospital records for people who got tested positively for Covid, and issue them a Covid Test certificate, as well as check the vaccination records and issue vaccination certificates, these certificates are generated every time the user has internet access and types in his pin. Due to the QR codes have a limited lifetime of 2-3 days, this is to make sure that data can be accessed offline and at the same time assure they reconnect and get up-to-date medical information synchronized to their device.
There is a larger story to it all and how we get pulled in to work in the middle of the night every night of the week, including Saturday and Sundays, Which i feel has put a lot of stress on us. However on the other hand, it was a great honor to be able to put on my CV that I was the technical Architect of the Covid response for a Nation.. (maybe that’s over glamorizing it) but i like the sound of it, so I’m sticking with it.
EU Digital Covid Passport
Our deadline was not hit on the mark, since there were quite a few unforeseen things that I didn’t take in to account. such as the bureaucratically enrollment, as the Faroe Islands needed to get approval from the EU commission to join the EU DCC. Given the rushed nature of the project, We have rolled out updates some nights, to the front-end since there have been some reports that some devices were not acting as they should User Interface issues and app stability fixes. But our main work in the beginning was with our National backend. All in all i believe it came together pretty nicely. However there is still a bit of work to be done, as of time of writing, they are requesting that recovery certificates should also be issued, to people who have already been affected by covid-19 and have recovered and gotten anti-bodies .. as this does not impact the front-end much, since it can already read and display recovery certificate information already, we still have to deal with the issuance. Hopefully this gave you a bit of an insight to the project. and you are welcome to drop me a mail if you are experiencing issues, or have any comments.