The period of validity should not depend on the date of issue.

[mge-medisoftware]

The period of validity should not depend on the date of issue. It must only depend on the date of vaccination.

For example:
Date of vaccination: 2021-06-09
Date of issue: 2021-06-15
CWA-app displays: valid until 2022-06-15 ! Should be 2022-06-09 or 2022-06-09 + 14 days

(Android, App-Version 2.3.4)

Added:
Or do you use MIN(Date of vaccination + 14 +365,Date of issue +365) ???

---

Related to topic: Check signature of certificates
Internal Tracking ID: EXPOSUREAPP-8010

[dsarkar]

@mge-medisoftware Thanks for your report! Stand by please, we will come back to you.

---

Corona-Warn-App Open Source Team

[vaubaehn]

I was also wondering about that, but I read that the validity of the certificate does not depend on medical circumstances like the expected duration of immunity. How long people are sufficiently immune against SARS-Cov-2 in average, and when boosters are needed - hence the 'validity of immunization' - is still subject of ongoing scientific research, and does also depend on the occurance of virus variants which may make it necessary to have earlier re-vaccinations. It's a quite dynamic process.
Thus, the validity of the immune status will be checked by "Business rules" implemented in verification apps. Business rules are set up by EU member countries and may vary from nation to nation, and also change on new scientific conclusions.

The validity of the certificate that is displayed from the wallet/verification apps is 'just' the validity of the digital signature of the certificate. For security reasons, these are valid for one year from the time of issuance.
I need to find the source of information where I got it from and add here later. Or maybe @dsarkar can confirm and link to the sources.

[Ein-Tim]

Maybe from here @vaubaehn: https://github.com/ehn-dcc-development/hcert-spec/blob/main/hcert_spec.md#61-hcert-signature-validity-time

[Jo-Achim]

So the "valid until" date should refer directly to the day of the last vaccination, right?
The 'last vaccination' would then also include booster vaccinations.

[mge-medisoftware]

Ok, thank you. If there's some mix of technical validity (365 days since date of issue) and expected duration of immunity then there is only a problem if duration of immunity will be longer then the expected 365 days (may also depend on vaccine and age of vaccinated person). So there's some loss of flexibility... due to security concerns, a frequent problem.

The current algorithm seems to be: MIN(Date of vaccination + 14 +365,Date of issue +365) ?

[DerVogel2020]

See also corona-warn-app/cwa-documentation#645

[vaubaehn]

@mge-medisoftware

Ok, thank you. If there's some mix of technical validity (365 days since date of issue) and expected duration of immunity then there is only a problem if duration of immunity will be longer then the expected 365 days (may also depend on vaccine and age of vaccinated person). So there's some loss of flexibility... due to security concerns, a frequent problem.

The current algorithm seems to be: MIN(Date of vaccination + 14 +365,Date of issue +365) ?

That's a good point. To not run into trouble, the signing instance (IBM/Ubirch server) would need to be able to manage a number (at least 2) of Digital Signature Certificates (DSC) of the issuing institution (for the Covid certificates you get in pharmacies, it's RKI). So, at the moment a Digital Covid Certificate (DCC) is issued, the signing server needs to check, if the Digital Signing Certificate (DSC) of the RKI is at least as long valid, as the expected immunity (defined in the business rules)/validity of the DCC. If the DSC expires before the DCC, then the signing server would need to use a newer DSC key pair for signing, that expires after the defined expiration of the DCC.
Is this explained clear enough?

/cc: @thinkberg

[vaubaehn]

@Ein-Tim

Maybe from here @vaubaehn: https://github.com/ehn-dcc-development/hcert-spec/blob/main/hcert_spec.md#61-hcert-signature-validity-time

This is still valid: corona-warn-app/cwa-documentation#587 (comment)
Thank you ❤️

[vaubaehn]

I just found the issue of @DerVogel2020 @lgmIT : corona-warn-app/cwa-documentation#645
I understand it in the same way, and he also explains the differences very well.

(edit: I mixed up the colors of avatars and thus names... 🙄 )

[GisoSchroederSAP]

@ALL,
please check the new entry in the "Glossary" section of the FAQ page (for now available in German only): https://www.coronawarn.app/de/faq/#G

The term "Gültigkeit" (validity) is not unique, instead we talk about two different validities: Die one for the technical certificate. This date will be explicitly carried within the certificate (in the example mentioned by @mge-medisoftware : valid until 2022-06-15) So, the technical certificate expires on that date.

In contrast to the technical validity, the effective vaccination validity cannot be mentioned, as this date is subject of change depending on scientific evidence and new additional findings. Therefore, the CWA display the only "known" date: the date of vaccination (Date of vaccination: 2021-06-09)

And yes, in Germany currently the certificates have a technical validity of 1 year.
In Germany, with the full vaccination (according to the vaccination scheme) lasts for 1 year beginning 14 days after the morst recent date of vaccination.

The only exception is the recovery certificates (a recovered person, without an additional vaccination but with a proof of immunization like PCR test): This is considered to be effective for 180 days only.

I hope, this does not become too confusing.
With the CWA we may change the output and remove the date fields to reduce complexity. In the end: Only if the effective vaccination validity and the technical validity is given, the certificate will be verified "accepted". In any other case, the verification will refuse/decline the certificate.

[vaubaehn]

@ALL
In the current release 2.5.1 of CWA, there is no timestamp at all anymore, referring to either technical validity (or digital signature expiration date) or effective validity (expiration of immunization).
As these dates will again become rather important in CWA 2.6.x, introducing the new feature "validation of DCCs by using business rules", I'm voting to re-implement them - or not to forget to do it, if it's already on the todo list...

[GisoSchroederSAP]

I just made an entry in issue 645 that may help to understand the way forward.
Please feel free to comment here or there

[MikeMcC399]

@mge-medisoftware

I believe that the current FAQ entry https://www.coronawarn.app/en/faq/#eu_dcc_validity best explains this.

Could you check using the current app version (2.8.0) where the dates and text should be clearer?

If you are satisfied probably this issue can be closed.

[mge-medisoftware]

Indeed difference between technical and effective validity ist now very transparent in CWA. Closed. Thanks!