What happens with the vaccination certificate once the validity time has passed?

[Ein-Tim]

Your Question

• Documentation File: From https://github.com/ehn-digital-green-development
• Line / Paragraph: https://github.com/ehn-digital-green-development/hcert-spec/blob/main/hcert_spec.md#61-hcert-signature-validity-time
• Question: What happens with the vaccination certificate ones the validity time has passed? When building version 2.3 locally on my Emulator the certificate is only valid until 22.04., but the app still shows the "normal" vaccination screens. What exactly has to be done after the validity has passed?

---

Issue in https://github.com/ehn-digital-green-development: ehn-dcc-development/eu-dcc-hcert-spec#86

---

Internal Tracking ID: EXPOSUREAPP-8092

[MikeMcC399]

@Ein-Tim
In the example you posted in #638 (comment) the certificate is valid for one year until June 2022.

I guess we will need to wait for experience with vaccinations and how the pandemic progresses before this question can be answered. Maybe like the influenza vaccination it will be necessary to have a refresher vaccination every year to take account of mutations?

PS: You have a typo in the title and text, "ones" should be "once" 🙂 .

[Ein-Tim]

@MikeMcC399

This vaccination certificate shows that it's only valid until 23.04.2021:

But if I scan it with CWA, CWA shows that it's valid until 03.06.2021.
If I scan it with CovPass, I get the error that the certificate does not have a valid signature.
If I scan it with CovPassCheck, I get the error that the QR-Code is not a vaccination certificate.
This does not make any sense at all 🤨

[MikeMcC399]

@Ein-Tim

The short answer to your question about what happens when the vaccination certificate is no longer valid is:

In other words you should contact your doctor and get your vaccination refreshed.

It looks like you have picked up the test certificate from https://github.com/Digitaler-Impfnachweis/certification-apis/blob/master/examples/README.md.

If I scan this QR code with CovPass Android 0.160.3 it says:

• Impfzertifikat enthält keine gültige Signatur

If I scan this QR code with CovPass Check Android version 0.160.3 it says:

• Zertifikat nicht gefunden
• Zertifikat abgelaufen

As we know from the issue #634 it is possible for CWA to add vaccination certificates without valid signatures. I scanned the QR code from https://github.com/Digitaler-Impfnachweis/certification-apis/blob/master/examples/README.md with CWA Android 2.3.4 and it showed an expiry date of 03.06.21.

Using a second smartphone I scanned the QR from the screen of CWA with CovPass and got the message "Impfzertifikat abgelaufen" and it recommended that I should contact my doctor to get the vaccination refreshed.

CovPass Check gave me the same messages as previously:

• Zertifikat nicht gefunden
• Zertifikat abgelaufen

when scanning the added vaccination certificate (which originally had no valid signature) from CWA with CovPass Check.

So the test QR code you are using to test is not a typical valid QR code.

[Ein-Tim]

Okay, thank you @MikeMcC399. I already thought that this may be connected to the missing signature check...

Closing as answered!

[vaubaehn]

Hi @MikeMcC399 and @Ein-Tim ,

The short answer to your question about what happens when the vaccination certificate is no longer valid is:

In other words you should contact your doctor and get your vaccination refreshed.

According to our latest discussion here: corona-warn-app/cwa-app-android#3538 (comment) (and also here: corona-warn-app/cwa-app-android#3538 (comment) ), I would consider this to be wrong (a bug).
The validity date shown by CWA is a technical one, and refers to the expiration date of the signing Digital Signature Certificate (DSC) of the RKI. It does not state, when "immunity" expires, as this is dependent on (future) outcomes in medical research and possible future occurances of virus variants that might escape better fom immunization.
Such a message should only be shown, when the validity of the DCC (hence "immunization") expired, which can be checked via business rules that likely get implemented into CWA at a later point in time.
If the digital signature of the DCC expired, immunity may still be well enough, and it might be possible to re-issue the DCC with a renewed signiture. Hence, above message could be something like "die digitale Signatur ihres EU Covid Zertifikats ist abgelaufen. Bitte setzen Sie sich mit Ihrem Arzt oder einer Apotheke in Verbindung, um es erneuern zu lassen." If then doctor or pharmacy checks also immunity of DCC holder, the holder can either be "boostered" with a new immunization and get a new DCC, or just get a new DCC if immune status is still well enough.

What do you think - should we open a bug report in documentation repo?

[vaubaehn]

Releated: #645

[MikeMcC399]

@vaubaehn

I suggest to follow the result of #645 first (which you also just quoted).

Real and valid certificates (as opposed to invalid test certificates) should not be expiring until sometime next year. It may be that the error message from CWA is wrong and should be changed. The certificate issuing authorities would need to make a statement about how expired certificates get updated exactly. I haven't seen that published yet, but of course I may have missed something.

[vaubaehn]

@MikeMcC399
Yes, it's a good idea to follow that in #645 . It's all connected, and should probably re-worked properly by the stakeholders.