What's in a Kosovo Covid Pass QR code?

I’ve been seeing a lot of questions going around as to why we need an internet connection to verify Kosovo Covid Pass QR codes.

Why are EU covid passes “scannable” while ours aren’t?

How does an EU covid pass differ from ours? They look pretty similar after all.

What’s a QR code?

A QR code is just a super convenient way to pass information around. It’s text in 2D image form. That’s all you should care about; it’s inner workings are intentionally opaque.

Imagine you see a huge billboard with a long URL of the product being advertised, you certainly wouldn’t stop walking to write it down. If it were in QR code form however, you’d be much more likely to scan it. This use case is why QR codes were invented.

Here’s a QR code with some free text:

You can scan it with your phone camera to confirm. Also, you can generate your own QR code here.

What’s in a Kosovo Covid Pass QR code?

A URL. That’s it. One single link.

The QR code on our Kosovo covid passes encode a single link with a unique ID, which takes you to a government website that shows you the details of that particular certificate (your name, doses, etc.).

To verify your Covid pass, someone would have to:

  1. Scan your Covid pass QR code
  2. Open the decoded link in their browser
  3. Verify that the details on the website match the details on the Covid pass
  4. (Optional) Verify that the details on the Covid pass match the details on your ID document
  5. Done!

Notice how you can’t get past step 2 without an internet connection.

The only element of trust and authority in this flow is that the website is government-owned and we trust that its contents are true.

What’s in an EU Covid Pass QR code?

An EU Covid pass QR code is much meatier. It contains your full name, birthdate, nr of doses, vaccine manufacturer, country of vaccination, and more. All within the QR code. With all the data in there, verification can be done completely offline!

But that’s just half of the story.

The main issue is: how can we trust the embedded data? Generating a QR code is trivial, so what mechanism protects us from counterfeit Covid passes with forged QR codes?

The answer is public and private key pairs. The authority (in this case, the government) signs (encrypts) all officially generated Covid passes with the (secret) private key, and releases the public key to, well, the public. Now anyone can make their own scanner app, bundle in the public key, and start scanning QR codes. The app verifies that the contents of the QR code were signed (encrypted) by the government if it can successfully decrypt it using the public key.

To complete the comparison: for someone to verify an EU Covid pass they’d have to:

  1. Scan your Covid pass QR code using an app with the public key
  2. (Optional) Verify that the details match the holder’s ID document.
  3. Read the screen for ✅ or ❌. Done!

This is all done using CBORs (Concise Binary Object Representation) and CBOR Object Signing and Encryption (COSE), a very compact way to represent data and sign it. For devs out there: these are pretty much like JWTs but in binary format. Like JWTs, CBORs have segments of data and a signature that proves that the holder of the secret (private) key signed it.

More info

Here are some useful resources for anyone that wants to dive deeper: