EU 디지털 COVID 인증서: QR Code 사례 연구

<\/script>\n

'; }, get iframeSnippet() { const domain = 'qrcodefyi.com'; const type = 'guide'; const slug = 'eu-dcc-case-study'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme

Widget powered by . Free, no account required.

Technical analysis of the EU DCC: CBOR encoding, COSE signing, offline verification, and lessons for future credential systems.

Updated 7월 9, 2025

EU Digital COVID Certificate: QR Code Case Study
Architecture Overview
Why These Technology Choices
Offline Verification
Security Measures
Lessons for Future Credentials
Key Takeaways

EU Digital COVID Certificate: QR Code Case Study

The EU Digital COVID Certificate (DCC) was one of the largest QR code deployments in history — over 2.3 billion certificates issued across 50+ countries. Its technical architecture offers lasting lessons for credential systems.

Architecture Overview

The DCC QR code encodes:

Health data (vaccination, test, or recovery record) in CBOR format
Digital signature using COSE (Sign1 structure) with ECDSA P-256
Compression with zlib to reduce QR code size
Base45 encoding for QR code compatibility

The resulting QR code starts with HC1: followed by the Base45-encoded payload.

Why These Technology Choices

CBOR over JSON: Binary format reduces payload size by 50-70% compared to JSON, critical for fitting data within QR code capacity limits.

COSE over JWS: COSE is the CBOR equivalent of JOSE/JWS. It produces shorter signatures and integrates naturally with CBOR payloads.

Base45 over Base64: Base45 is optimised for QR code Alphanumeric mode (5.5 bits/char vs 8 bits/char for Base64 in Byte mode), reducing the QR code version needed.

Offline Verification

The critical design requirement: verification without internet connectivity. Airport gates, border checkpoints, and event venues needed to verify certificates without a network connection.

This was achieved through: - Pre-distributed signing certificates (public keys downloaded periodically) - Self-contained certificates (all data in the QR code, no server lookup required) - ECDSA P-256 signatures (compact, fast verification)

Security Measures

Each country had its own signing key pair (Document Signer Certificate)
Key revocation lists distributed through the EU Gateway
Certificates had embedded validity periods
Fraud detection through cross-country verification data sharing

Lessons for Future Credentials

Compact encoding is essential: CBOR + Base45 was the right choice for QR code capacity
Offline verification is achievable: With pre-distributed public keys
Interoperability requires governance: The EU Gateway coordinated 50+ countries
Privacy by design: Minimal data in the certificate, no central database of scans
Sunset planning: Clear timeline for deactivation when no longer needed

Key Takeaways

2.3 billion DCC certificates demonstrated QR code credentials at global scale
CBOR + COSE + Base45 optimised payload for QR code capacity
Offline verification with pre-distributed keys eliminated connectivity requirements
Multi-country interoperability required centralised governance (EU Gateway)
The DCC provides a template for future digital credential systems