VDS Visible Digital Seals propelled to the forefont of global vaccination validations

Posted by sandiainternational 18/10/2021 0Comment(s) Innovation, Security,

VDS Gains Wider Acceptance for Travel & Non-Travel Documents & Objects

SecuSeal vaccine card scanned for proof and face match
The new visible digital seals (VDS), originally adopted by countries for travel document verification, are now gaining wider international acceptance as affordable and efficient solutions to the global challenge of providing travellers with an internationally verifiable proof of health. Furthermore, the use of VDS technology outside of the travel domain is also becoming more broadly recognised.

This article takes a look these developments, but also goes ‘back to basics’ by explaining what a VDS actually is  and where it originates from.


What is VDS?

A visible digital seal (also called VDS or digital seal) is defined as a standardised, structured data set containing a payload (the actual data itself) and its signature (or ‘seal’), which comes from the issuer of that data. The data and the signature are then encoded into a 2D barcode which can be either printed on a document or displayed electronically.

For a travel visa, for example, the data would include the name, nationality, date of birth, sex and passport number of the visa holder, as well as the name of the issuing state and the visa validity period. Using the same methods that secure the microchip data on a credit card, the electronic signature guarantees data integrity: the purpose is not to keep the data secret, but rather to detect if it has been modified, as well as confirm the authenticity of its source.

Where does VDS originate from?

VDS was originally developed by the French National Agency for Secure Documents (Agence Nationale des Titres Securisés) and the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

Based on this initial work, the International Civil Aviation Organization (ICAO) developed specifications for the ePassport, which is characterised by an integrated-circuit microchip that digitally stores the information printed on the passport datapage.

The verifiability of an ePassport relies on the ‘digital signing’, by authoritative issuers, of the data on the microchip, as well as relying on the use of a public key infrastructure (PKI) for controllers to be able to verify that digital signature. Furthermore, in order to facilitate the verification process, ICAO members have established a centralised public key directory (PKD), complemented by national master lists.

Thus, the infrastructure for ICAO-compliant ePassport verification has become highly developed and, in terms of issuance, ePassports are now a global norm. Building on this existing infrastructure, in 2018, ICAO member states endorsed a technology involving a simpler implementation of the same trust/ verification model established for ePassports. The technology is called visible digital seal and it is based on the use of a 2D barcode.

The intention with VDS is to have a similar level of digital security for those documents produced in high volume and with a short validity period – such as visas – for which it is economically unfeasible to use microchips.

While 2D barcodes are already broadly used within and outside of the travel continuum, ICAO technical experts sought to advance a 2D barcode that is ‘verifiable,’ by applying the ePassport model.

How does VDS work?

If we take travel visas as an example of how ICAO VDS actually works for a non- electronic document, ICAO describes three steps in the general process:

  1. Generating a visa signer certificate – the public key infrastructure (PKI) for the electronic signing of visas is based on the ePassport model, whereby asymmetric cryptography is applied. This involves the use of a pair of related keys (or cryptographic codes) – a private key for the visa signer to encrypt the data on the travel document, and a corresponding public key for the visa controller to decrypt it.

    At the root of this system is the country signing certificate authority (CSCA) of each country, which issues electronic certificates attesting to the fact that a particular cryptographic key pair belongs to a particular visa signer.

    Three interlinking certificates are issued in this regard:
    1. The CSCA issues a certificate containing its own public key.
    2. The CSCA signs and issues a second certificate containing the public key of the subordinate certifying authority dealing with paper visa documents.
    3. The subordinate authority in turn signs and issues a visa signer certificate containing the public key of the visa signer.

      The visa signer is the entity that actually signs the digital seals. The visa signer certificate can therefore be verified by the subordinate authority certificate, which itself is verifiable by the CSCA certificate, thereby establishing a chain of trust between the different entities.
  2. Generating a digital seal – when travellers are granted a visa, their embassy of residence sends a digital representation of the travellers’ data to the visa signer, who cryptographically signs the data using a private and public key.

    The actual signing is done with the private key, whereas the public key is stored in the visa signer certificate. The resulting signature is sent back to the relevant visa personalisation system, where it is printed on the visa sticker in the form of a 2D barcode and attached to the applicant's  passport.
  3. Validating a digital seal – when applicants enter the issuing country, they present their visa to immigration officers who verify the authenticity and integrity of the VDS on the visa by checking the VDS integrity, using the public key of the visa signer certificate and comparing the printed information on the visa sticker and corresponding passport with the digital information stored in the VDS.

As stated above, the validity of the visa signer certificate itself can be verified by the CSCA certificate. Since all certificates are publicly available, the validity of the visa can be verified by any third party, not just by the issuing state. This approach can thus handle use cases for unions of countries, where one country issues a visa for another country (as is done for example in the European Union).

Real world use cases and prospects

As an example of an existing use case for VDS, in 2015, due to the refugee crisis in Europe, Germany issued a harmonised document, as proof of successful registration, to all asylum seekers arriving in the country. The document carries classic security features and a VDS containing all the printed personal data, as well as a link to a database containing biometric data.

As far as applications in the pipeline are concerned, all EU member states will start issuing Schengen visas carrying digital seals from May 2022.

And as mentioned at the beginning of this article, the ICAO VDS is gaining wider acceptance as part of an internationally verifiable proof of health. To this end, ICAO and the EU are working towards ensuring compatibility between VDS and European digital COVID certificates, with specific international implementation guidelines expected shortly. Meanwhile, other regions and countries are conducting their own assessments.



Benefits and drawbacks (as seen by ICAO)

ICAO specifies a number of considerable security advantages with using VDS on (usually paper-based) documents that don’t carry a microchip, and this was the reason for deploying this technology.

These advantages include the fact that each VDS is able to verify the information printed on the physical document, and is therefore tied to the document holder. Also, as there is no direct VDS equivalent of a blank document, no blanks can be lost or stolen. In addition, even untrained persons are able to verify a document protected with a digital seal by using low-cost equipment, such as an app on a smartphone.

However, ICAO points out some limitations when compared to chip-based documents. These include the limited storage capacity of digital seals and the fact that they do not protect against cloning. Furthermore, as 2D barcodes cannot replace the functional or security features of microchips, travel documents should strive to employ microchips whenever feasible, advises ICAO.

In spite of this, one can argue that cloning has a rather limited meaning in this context, as the main function of VDS is to guarantee data integrity.

In addition, when VDS is related to authentication features or contains a signed biometric data template such as fingerprints or a face recognition pattern, the ‘drawbacks’ as seen by ICAO should be reconsidered.

VDS outside of travel

In addition to travel documents, VDS has been applied in other real-world scenarios. For instance, in 2021, France adopted the technology for its new national ID card, while Canada is using it for school certificates, Tunisia for public service payrolls and Ivory Coast for taxi driver certificates.

Although VDS is currently mainly used on official documents and IDs, it has the potential to extend further afield, for example to tax stamps and product track and trace systems. In this regard, VDS provides a mechanism for interoperability, within a secure trusted environment, between national tax stamp and traceability programmes.

Indeed, interoperability in a trusted environment between tobacco track and trace systems is a requirement of the WHO FCTC Protocol to Eliminate Illicit Trade in Tobacco Products. Article 8 of the Protocol calls for all parties to have in place, by 2023, a global tracking and tracing regime, comprising national and/or regional track and trace systems and a global information- sharing focal point. To this end, each party must ensure that unique, secure and non-removal identification markings, such as codes or stamps, are affixed to all unit packs and any outside packaging of tobacco products.

With such a global system in place, an inspector from country X should be able to securely read the tax stamp/track and trace data used by country Y, country Z and potentially any other country, using a single mobile app as a trusted entry point. This is what a well-designed VDS is able to offer, including a mechanism supporting multilingual data presentation.

The VDS can also contain (or securely link to) information and guidance on the authenticating security features used by each country. In this way, each country is free to use different technologies and schemes, knowing that the VDS interoperability function is there to assist inspectors who are unfamiliar with some of the national schemes.

Although the most straightforward way of using VDS is to physically add it to the tax stamp as an ‘entire data set,’ the limited space available on a tax stamp means that other approaches may need to be used. One such approach could be to incorporate the electronic signature and VDS ‘header’ (containing information about the VDS)
into a tax stamp’s existing barcode, which means a second code would not be required.


Who is behind VDS outside of travel documents?

The extension of VDS outside the travel domain is being spearheaded by the Visible Digital Seal International Council (VDSIC) and its Otentik Trust Network. VDSIC is a non-profit organisation, founded in 2016 in France by 20 public and private French, Canadian and Tunisian entities. It is responsible for the governance model and standardisation of a VDS that is adapted and optimised for performance beyond the ICAO travel document domain.

The aim of VDSIC and Otentik is to create an environment of cross-sectoral and international trust, covering a wide range of digital security issues, based on global standards. At the European level, VDSIC and Otentik are working to resolve issues related to the security of official documents and certificates, instant payments based on a QR code, the security of national identity cards, as well as the use of VDS as a secure element in the field of cybersecurity and IoT.

The VDS model proposed by Otentik is based on multiple independent certification authorities (CA) – unlike the ICAO model which is based on multinational hierarchical mother/daughter CAs only. The Otentik model thus allows both for the inclusion
of hierarchical CA models (like ICAO) and sectoral, national or international multisectoral CA-based models.

Setting standards

The Otentik VDS data structure is based on the 2020 French standard AFNOR XP Z42-105, entitled ‘Electronic Storage Specifications for use of an Otentik VDS for the authentication, verification and acquisition of data carried by a document or object’. The standard, which is specific to VDS, was proposed by AFNOR in June 2021 as a New Work Item Proposal at ISO level, for the same working group that developed the tax stamp standard (ISO 22382:2018).

On 30 September, this new proposal was adopted by ISO and the new project, ISO/NP 22376, on electronic storage specifications for using VDS for the authentication, verification and acquisition of data carried by a document or object was initiated.

In addition, in 2022, the new global standard, ISO/CD 22385, on guidelines for establishing a framework for trust and interoperability, will include reference to a tax stamp carrying VDS, as an example of how such a framework could be implemented.

And a few weeks ago, the VDSIC universal ‘Otentik Code Reader’ application (acting as a trusted entry point) was launched for Android and iOS.


With all these different developments taking place around VDS technology as a new global trusted environment – both inside and outside the travel domain – the technology looks set to become a world standard in secure interoperability.


Reconnaissance Authentication News logo

This post originally appeared in the Authentication News published by Reconnaissance International in September, 2021. This article is republished here with permission.