I'm surprised to be out of the loop on this. This is the first I've heard of Quebec's vaccine passports. As the OP says, it also implies there is an app, with a vendor, an infrastructure, and key management. (smarthealthit and azure as it appears to turn out)<p>The ethics and legality of vaccine passports are still very controversial, and using Quebec as a test ground for it seems like its part of an inevitable push, independent of popular assent to it. It's force, basically.<p>Using a JWT is sufficient for the purposes, and the vaccination status is basically a digital ID. This provides some mature and flexible structure to the token format, as opposed to say, a blockchain based one. The scanning app with the URI endpoints is going to be the interesting piece.<p>Having worked in the design of related concept, the main failure modes here are a compromise of the signing key which is probably in an azure HSM instance, or cached somewhere as just a k8s secret, mobile malware that steals or corrupts tokens, and then infrastructure ddos against that API endpoint during a holiday airline rush. There's also the question of how the code verification app works, as that's where the real vulnerabilites would be.<p>Given the amount of co-ordination required for a scheme like this to work, it is difficult to believe this is not being done in secret, and if so, why?