Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was curious what it was sending so scanned it:

UKC19TRACING:1:eyJhbGciOiJFUzI1NiIsImtpZCI6ImlSNHdIVEIxdkF2a 2RjbEdCQWVwUlpxSzZSb29GbVNxcEpDQVd4alFvUFEifQ.eyJpZCI6IlA1Mkt XUFIzIiwidHlwIjoiZW50cnkiLCJvcG4iOiJFbncgTGxlb2xpYWQgeSBQcmF3 ZiIsImFkciI6IldlbHNoIEdvdmVybm1lbnRcbkNyb3duIEJ1aWxkaW5nXG5DY XRoYXlzIFBhcmtcbkNBUkRJRkYsIENGMTAgM05RIiwicHQiOiJDQVJESUZGIi wicGMiOiJDRjEwM05RIiwidnQiOiIwMDEifQ.3USKQlzdD4_RlH-wWvPPyQig 3tGbS8XUIFlTryqVzCmeWzc32YyKLjYpnzNOpUu0555-ym1kfvdDNAqnqyAWRw

The first part "UKC19TRACING" obviously tells you it's for UK Covid 19 tracing. The second part "1" is maybe a version number. The rest is a json web token with the following payload:

{"id":"P52KWPR3","typ":"entry","opn":"Enw Lleoliad y Prawf","adr":"Welsh Government\nCrown Building\nCathays Park\nCARDIFF, CF10 3NQ","pt":"CARDIFF","pc":"CF103NQ","vt":"001"}

Honestly, this seems to me to be overly complicated but I don't really know how the apps work.



You do not need an internet connection to scan the code, which is an advantage. I imagine this is why they’ve included a check and why the code is so large.

It’s worked first time whenever someone I’ve been with has scanned it.


It seems crazy that they are using JSON in a QR code. There are much more compact encodings they could have chosen.


AFAIK in my jurisdiction the QR codes are a simple number, which the app reports along with the names of the people who have checked in or you are checking in. The number represents all the data that UK code is trying to convey. Not sure why the UK code needs all of that within itself rather than having a lookup table of some sort the number points to.


If the lookup table was stored on the server, requesting the data would effectively provide the user location to the central server. This is the part that isn't allowed.

I suspect the lookup table is too big to store on the device itself.


Why would the app need to do a lookup? Store the numbers, and if/when you test positive then submit them along with your bluetooth keys.

Seems to me like a lot of these problems go away if governments stop making things more complicated than they need to be.


Well that's possible, but doesn't add any additional security and has the negative effect that users can't see where they have scanned into on their device (e.g. on the NHS app you can go to 'venue data' and see where you have logged into).

If one of your user stories involves users being able to see the names/addresses of venue's they have visited, you will either need to store the venue name in the QR code or do a lookup.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: