Going back to our traveler, Alice, we can imagine that Naruba and Kumani both have national health systems that can follow the blueprint from GHCP. When Alice uses her health pass inside Naruba, it is reasonable to expect that Narubian businesses will know what a real Narubian health pass looks like and whether to trust it or not. To make this possible, the Narubian health ministry would determine what data a legitimate pass contains (e.g. its schema) and what forms it takes such as the paper design and digital format. The ministry could also determine who in Naruba can issue these health passes and even set up a registry so others in Naruba can find out as well.
This kind of one-size-fits-all, single-source solution can solve the local problem, but when Alice is interacting with people and organizations outside Naruba, the problem is much harder:
- Naruba and Kumari may have adopted different schema for the credential representing the health pass.
- Random organizations (and even people) in Kumari need to be able to establish the fidelity of the credential. Specifically, they want to know that it was issued to the person presenting it, hasn’t been tampered with, and hasn’t been revoked.
- In addition, these same entities need to be able to establish the provenance of the credential, specifically that it was issued by a legitimate organization who is authorized to attest to the holder’s vaccination status.
This is where GCCN comes in. GCCN has three components:
- a trust registry network
- a certificate implementation toolkit
- a set of recommended vendors
The trust registry network and its associated protocol not only helps Naruba and Kumari each establish their own registries of authorized health pass credential issuers, but also enables a directory of registries, so an organization in Kumari can reliably find the registry in Naruba and discover if the issuer of Alice’s credential is in it.
The toolkit provides several important components for a working ecosystem:
- a template for a governance framework that governments and industry alliances can use to make their own policies.
schema definitions and minimum data sets for the credentials.
technical specifications for the software components needed to issue, hold, and verify credentials.
- implementation guides and open source reference implementations.
guidance for creating the governance framework and technical implementation.
The vendor network provides a commercial ecosystem to which governments and industry associations can turn for support. The vendor network provides a set of organizations who have competence in building credential ecosystems. Over 25 separate companies and organizations support GCCN.
With all this, GCCN doesn’t actually build the ecosystems. That falls to organizations who use GCCN to instantiate the framework provided by GHPC.