Alternate source of valid cwa QR codes for lab results? #517
Comments
|
@ndegendogo Perhaps somebody with first-hand knowledge can explain what the recommendations to testing centers are? The specification for the form is on https://update.kbv.de/ita-update/Blankoformulare/10C_OEGD/KBV_ITA_VGEX_Implementierungshinweise_10C_OEGD.pdf and it describes how a GUID is generated. corona-warn-app/cwa-wishlist#302 (comment) showed how a QR code can be generated. Edit: ftp://ftp.kbv.de replaced by https://update.kbv.de |
|
Hey @ndegendogo ,
I found a resource from the Kassenärtzliche Bundesvereinigung (KBV) that goes into more detail on how the form was rolled out to doctor's offices last June: https://www.kbv.de/html/1150_46778.php They don't go much into detail about it, but you can see that the form generation is implemented in the software system of the doctor's office. The implementation is standardized (see @MikeMcC399 's #517 (comment)) by the KBV. Printed copies can also be ordered from the local KV.
The ID is a standard UUID that is essentially a 128 Bit random number. For use in the CWA it is delivered in URI format (
The software in the doctor's office (or testing center) is generating the ID for printing it on the form. You can use any software that can generate UUIDs to build such a QR code yourself. Chosing a random ID is fine because the chance that two tests with the same IDs are in the system simultaneously is almost non-existent. Corona-Warn-App Open Source Team |
The full GUID is a little longer since the 128 Bit UUID from RFC4122 is prefaced by a 6 character random hexadecimal number (followed by a hyphen separator). So it's Core Entities
|
|
Thanks @heinezen and @MikeMcC399 I have a follow-up question. So, from a technical point of view: could a lab generate such GUID / QR codes for all its samples that come without form 10C/OEGD (or without GUID from other source) / or at least for such samples that are tested positive; and send this QR code together with the lab report to the user; and the user can scan it to upload their DEK keys? Does the lab need to register such a "late-generated" QR code / GUID with cwa upfront? Or is it the required precondition in any case that the lab has uploaded their results to cwa? |
|
@ndegendogo The QR code scanning by the user of CWA is independent of the lab input. For instance if a person is tested at a facility which is fully conform with the CWA process, they could immediately and successfully scan in their QR code to register the test in CWA. Then the sample would be sent with the form to the lab where the lab would later scan in the QR code from the top half of the form and record the result of the test. If both the CWA user and the lab have scanned in, then CWA can report the test result. If the test result is positive then the user can initiate the process to upload their keys. You have an innovative idea to fix a broken process! It would be interesting to hear why certain labs have not integrated into CWA. The use of CWA by citizens is voluntary and it seems that the use of the CWA infrastructure by labs is also voluntary. It sounds also like this is a political issue, which GitHub isn't really scoped to solve! I wonder if the labs have any advantage or disadvantage to use the system (including financial)? |
Well - I am afraid this process is too much broken to be fixed with such an idea ... And cwa will not accept any GUID without confirmation of the lab that the GUID is indeed related to a red test. Else any user could just generate a GUID himself and use it to upload his keys ... |
|
The integration of lab results into cwa is a nice idea. But they designed only the technical solution, and there was no time for an in-depth analysis of the context of this solution |
The lab must deposit the test result for the QR code on the test result server and the user has to scan the QR code in the app. If the user's CWA retrieves the test result, they can upload their random IDs. Both sides need to upload for this to work.
I think one issue with this is that you would get the same problems that you always get when you allow critical user input: It becomes more exploitable. You must ensure that the test result QR code can only be submitted once, it must be verified by the lab in some way so that you cannot generate a valid result on your own, ... It can also introduce new adversary cases because these late QR codes would be tied to a positive result. For example, somebody could offer money for them and turn a place into a fake Corona hotspot. You can submit the idea to the wishlist because it might be possible to solve all these problems. However, it probably also introduces more complexity into the system. Corona-Warn-App Open Source Team |
|
@heinezen @MikeMcC399 Thanks for all your answers. No more questions at the moment. Closing the ticket. |
Your Question
I would like to understand more about the QR codes / IDs that cwa uses for access to the lab results.
Where and how are they generated?
If I understand correctly, they are printed on the form 10C/OEGD, and this ensures they are unique. Is there an additional / alternate procedure to get such a valid ID?
For example is there some software (plugin or similar) that can generate such IDs? Or request it from a server? Or would it be possible to implement such a plugin?
Background of my question: the form 10C/OEGD is used by doctors when they send me to be tested. But there are other process flows with no doctor involved upfront in a test center with self-registration. How is such a test center supposed to integrate a valid cwa-compatible QR code into their process?
The text was updated successfully, but these errors were encountered: