Documentation on warning on behalf is missing

[rugk]

Where to find the issue

https://github.com/corona-warn-app/cwa-documentation/blob/master/event_registration.md

Possibly https://github.com/corona-warn-app/cwa-verification-server/blob/master/docs/architecture-overview.md (last changed in 2020, so nothing new here).

Describe the issue

Since the latest v2.9 of the CWA, the health can warn users of the CWA even if the person who was tested positive cannot or does not warn others.

I tried to find technical information/documentation about how that new feature was implemented, but could not find any information.

Suggested change

This very likely includes at least:

• …how the apps handle this (do they even handle it differently, or is it just some "ghost user" who is the health authority which is then added or what?)
• How the server infrastructure was changed/is currently, to allow this feature? (if so)
• How the TAN is generated and how it is assured that only authenticated parties (health authorities) can do this?
• What happens if the key or whatever is used for one health authority is compromised?

[Ein-Tim]

BTW, https://github.com/corona-warn-app/cwa-documentation/blob/master/event_registration.md is outdated, it says:

CWA proposes a fully-automated decentral solution for Presence Tracing which works independent of local health authorities and the collaboration of the host of a venue.

Yes, it can work like this, but the document should be updated to reflect the new "Warn for others" feature 😅

Hope it's ok to add this here.

[rugk]

Yep, that's totally related and should/can be done when the doc for this whole feature is added.

[rugk]

So now submitted a simple "fix" for that wrong sentence: #703

[Ein-Tim]

FYI, on Twitter, somebody told me this:

Das funktioniert erstmal nur als Pilot mit zwei GÄ in Sachsen!
Die rufen eine Hotline an, bekommen dann eine TAN und warnen entweder selbst über die CWA oder geben die TAN an den Ersteller weiter.
Das Feature wird dann sukzessive an weitere GÄ ausgerollt.

No idea where they got this info, but is this true @thomasaugsten?

[thomasaugsten]

• The app handling is the same only the backend checks if not a regular tele-tan is used for warning on behalf or ENF keys are submitted.
• A special tele-tan type was introduced
• There is a special hotline only known to the GAs they have to call the hotline number and goes through a verification process to receive a tele-tan
• There is no special key involved only a tele-tan with limited validity

I'm not in the rollout plan of the GAs involved.

[Ein-Tim]

@thomasaugsten

Okay thanks. But you can confirm that there is a staged roll out for this feature in the health authorities?

[thomasaugsten]

I have no information about internal processes of the health authorities

[Ein-Tim]

Okay, I understand 😅

Thanks for your answers @thomasaugsten!

[Ein-Tim]

@dsarkar I suggest to mirror this issue to JIRA, the best title is probably "Documentation on warning on behalf is missing"

[Ein-Tim]

The warning on behalf feature has been removed in version 2.28. - Documentation still would have been nice.