For an introduction to our Global COVID Certificate Series and links to the other options covered in this series, please see this post.

The Digital Infrastructure for Vaccination Open Credentialing (DIVOC) is an open source software stack which addresses not only verifiable-certificate management, but also the entire back office components (including registries) used to run the last-mile administration needs of a country’s vaccination program (including beneficiary and facility registration, online appointment scheduling, post-vaccination feedback management and end-to-end vaccination rollout management). 

DIVOC was built for India scale and aims to address other future vaccination scenarios, digital credentialing, and beyond. The largest implementation of DIVOC is in India, within the Co-WIN platform operated by the Government of India, which has issued more than 900 million vaccination certificates to date. Other known implementations are in the Philippines and Sri Lanka with more coming in the APAC and Africa regions. The DIVOC team is currently working to add new capabilities to the platform including resources around FHIR, COVID test credentials, as well as inter-specification interoperability with the EU-DCC and ICAO-VDS specifications.

The DIVOC vaccination certificate is based on one type of W3C verifiable credentials: JSON-JWT (you can learn more about different types of W3C verifiable credentials here). It contains data identifying the vaccination, as well as detailed information on the holder (name, address, date of birth, gender, etc). 

Currently, in all three countries that are implementing DIVOC, there is one centralized set of signing keys, so all certificates in the country are signed by the national authority. In India, while people are waiting after their vaccine shots, the information for their certificates is sent to the central authority and packaged up, signed and sent back to the vaccination site so it can be printed out and given to the person. Alternatively, the certificates can be accessible as a downloadable “digital copy” on the individual’s personal phone/computer via an SMS carrying a URL to the download portal. . The certificates are also “exportable” to external consumer applications (e.g. health wallets or digital lockers) via a set of protected APIs, through which an individual can request and fetch his/her certificate onto the wallet application, after the successful completion of the authentication mechanism (e.g. a Mobile OTP verification). 

The DIVOC project is hosted and maintained by India’s eGov Foundation and is available as an MIT-licensed open source software package DIVOC is also supported by various multilateral funding institutions, as well as a community of software contributors and adopters in various geographies. DIVOC’s verifiable COVID credentials have also been tested for interoperability with several consumer-health and locker applications globally; and DIVOC’s certificates from the adopter countries can now be scanned/read/ingested by these domestic and international applications.  

Countries/Jurisdictions India, Sri Lanka, the Philippines

More South/South East Asian, African and other countries are in the pipeline.
Websitehttps://divoc.egov.org.in/
Technical SpecificationsNot yet. DIVOC will put out a core specification shortly. For now, DIVOC’s adopter countries are putting out their specs (based on the DIVOC cert variants adopted by them).
Open Source Repohttps://github.com/egovernments/DIVOC
Implementation Guidehttps://divoc.egov.org.in/tech-docs
Governance FrameworkNo. Countries implementing DIVOC can define their own governance framework and use the open source code as they wish.
Trust RegistryNo. DIVOC is built on top of the generalized electronic registry and credentialing framework available under Sunbird Registry and Credentialing. Being an independent OSS project, this has been left for the adopter-countries to define. 
Example QR Code