The POX Algorithm RFC. How to show an auth token when you have privacy but no booking or other door duty. The phone occluded xenomorph algorithm. A complex cypher to protect data at all points in transmission. What really gets shown is an event-specific checksum verify on some encrypted data with can be further queried by a provider (such as the NHS) to obtain validity and scope for event purpose on a statistical check basis to reduce server traffic load and focus on hot areas.
At 2953 bytes of data capacity in a QR barcode (23624 bits) there is enough scope for a double signature and some relevant data in escrow for falsification auditing. The following data layers are relevant with keys in between.
- Verify credential entry VCE (the blind of public record customs inquiries)
- validity decrypt key (event private key part) VDK QR
- Door event transit DET (the over the shoulder mutable) QR
- event encrypt key (event public key) EEK QR
- Phone independent ephemeral PIE (the for me check)
- A public blockchain signed hashed issue SHI (the public record) QR
- authority signature keys (the body responsible for a trace of falsifications)
- hashed phone number key (symmetric cypher)
- record blind key (when combined with the event private key part makes the effective private key. Kept secret from the event)
- confidentiality key (database to publication network security layer)
- Actual data record ADR (the medical facts)
Various keys are required but covering the QR codes needed is perhaps better.
- The manager VDK QR (given to the door manager)
- The issue SHI QR (given by the provider)
- The event EEK QR (posted online or outside the event)
- The entry DET QR (made for the bouncer to scan)
At the point of issue, there may be a required pseudo-event to check that all is working well. The audit provider or provider (such as the NHS) has enough data on a valid VCE to call the user and the event in a conference call. Does the credential holder answer to speak to an echoing bouncer? Does the provider send a text?