What's inside a non-EU country's vaccination QR Code?
TL;DR: while the EU code embeds the certificate itself, the Bosnian QR code contains simplified data and a URL, while the Serbian contains only a URL.
The URL is hosted on http://vakcinacija.javnozdravstvors.org/. I will obviously not show the full URL. But I will also not include the full path for reasons that will become obvious later.
Contrast this with the EU implementation where the QR code contains the certificate itself. It’s in base45, compressed and signed.
Contrast that with the Austrian code where the signature is part of the code. In the screenshot below the yellow is data and green is the signature.
Regardless of whether the entire certificate is embedded, or just the identifier, there should be a scanner app that can be trusted.
Having a person do this, rather than a program, introduces a potential avenue for fraud. There are several (easy) ways that the domain can be made to look legitimate.
A very simple way to solve this is to embed just the identifier in the QR code. The scanner app can read the identifier and redirect to the correct certificate. That would not require any cryptography and would solve many potential issues.
