Importing renewed certificate makes certificate duplicate

[gleichda]

Current implementation

Importing a renewed certificate makes the certificate duplicate in the list

Steps to reproduce

1. Import a certificate on 2 devices
2. Renew a certificate on one device
3. Import the renewed cert on second device

Suggested enhancement

The renewed certificate should replace the old certificate & certificate should also get renewed on the second device

---

Internal Tracking ID: EXPOSUREAPP-13457

[MikeMcC399]

@gleichda

I don't think this can be considered a bug, although it could be a wishlist item.

The old and new certificates are only connected by hash information on an RKI server, so to automate a clean up after importing a renewed certificate would involve contacting the RKI server. That is probably not desirable. Certificate scanning should be possible locally without having to share any data with a central server instance.

The privacy notice explains in the section "Update feature for COVID certificates"

In order to be able to prevent users from using the update feature several times, which is not permitted, the electronic signatures of the updated and new digital COVID certificates are temporarily stored on the app’s server system by means of special one-way encryption (what’s known as a hash value). This means that the app performs a certain mathematical procedure in order to convert the electronic signature in such a way that it can no longer be identified. The hash value cannot be used to infer the data in the relevant digital COVID certificate or other information about you. However, it is still possible to clearly assign the hash value to the updated digital COVID certificate. The hash values will be deleted again 365 days after the update.

[Ein-Tim]

When importing a certificate the app checks if there is already a certificate in the app with the same UCID (Unique Certificate Identifier). Only if this is the case, the app shows an info message to the user that the certificate is already in the app.

As the renewed and the old certificate have different UCIDs, the app does not detect that they are the same (from users perspective).

[gleichda]

@Ein-Tim @MikeMcC399 by using the information from the certificate this should be possible: Comparing name, date of event and type of certificate (Vaccination, recovery) with existing certificates this should be easy doable I would say

[MikeMcC399]

@gleichda

Up to a maximum of three devices the expected use case is for the reissue to be requested on each device individually. A user would only need to scan a reissued certificate starting with the fourth device and there the old certificate would need to be deleted by hand. On the first three devices the older certificate would be automatically removed (see https://www.coronawarn.app/en/faq/results/#dcc_replacement_howto).

You are right that it would be possible to compare other fields on the certificate. It will be up to the developers to consider whether this is something they would want to implement.

This issue should probably be moved to cwa-wishlist/issues and I expect that the moderators will look at this.

[larswmh]

Thanks for your enhancement request @gleichda. We have created an internal ticket for it and will raise this topic internally.
Internal Tracking ID: EXPOSUREAPP-13457

Issue was moved to cwa-wishlist repository and opening comment has been adjusted accordingly. Feel free to update it if you think that anything is missing.

---

Corona-Warn-App Open Source Team

[MikeMcC399]

I overlooked the scenario where a user may have the same certificates stored in both Corona-Warn-App and CovPass. If a user has two devices, and certificates are stored in each app on each device, that would be a total of 4 times storage of the same certificate. That would exceed the allowance of 3 reissues per certificate, so therefore some manual exchange between the apps would be necessary.

[dsarkar]

@MikeMcC399 Manual exchange can be done with the "export all" functionality.

[MikeMcC399]

@dsarkar

Manual exchange can be done with the "export all" functionality.

That is correct, however normally there would only be one certificate to export / import at a time from and into CWA. The point of this item is to delete the older certificate automatically. The way it is at the moment, if you import an renewed certificate you have to delete the older certificate by hand if you want to clean up. You could just leave the older certificate where it is though. It will ultimately be displayed with "Certificate Expired" status. It just means that you would have two certificates with identical details except the UCI and the technical expiration date (and therefore status) would be different.

The question is whether the clean-up to remove the older certificate should be automated or not.

[dsarkar]

@MikeMcC399 yes, I agree with your comment, and indeed, the central question is if deletion of the older certificate should be automated. I guess this is problematic, because it will be "replaced" by a different mechanism than the currently defined one. Anyway, the idea per se is interesting.