CNN reports that officials plan to issue "vaccination cards" to people who get COVID vaccines. We need to be careful about how that is done. Some of the strategies are counterintuitive. Thread:

Vaccination cards can have two possible purposes: certificate or reminder. A certificate lets you prove to a third party that you have been vaccinated. A reminder just helps you remember when you were vaccinated and whether/when you need new doses.

Certificates need to resist forgery, because there will be incentives, perhaps strong ones, to make false certificates. And those of course are dangerous. Reminders don't need to resist forgery--why would you try to trick yourself about your status?

A bad outcome is a document designed as a reminder that ends up getting used as a certificate. It's designed without thinking about forgery, but it's used in cases where forgery is a serious danger. This kind of mission creep can happen very easily. How might we prevent it?

A powerful strategy is to design a reminder document to *highlight* how easy it is to forge. It shouldn't look official; shouldn't display logos of trusted entities; shouldn't be printed on fancy paper; should look like something anybody can make with a home printer quickly.

Or, if we're going to have a certificate meant to *prove* vaccination, have effective anti-forgery and anti-impersonation strategies. That is very hard to do! Not to mention the downsides of using certificates in a world where vaccine access is limited. /end