Certification: A description of the What, Where, When and, most importantly, the Why of Application Certification.


Certifications are needed to block attempts to reuse a valid credential from one person for another that does not meet the necessary criteria.

Applications need certification.

  • The wiki on Patient Choice describes some of the actual patient experience with healthcare or similar apps. It should be quite clear that if applications developers are not held accountable, they will not take much effort to protect users.
  • The wiki on the Mobile Driver's License for use cases in Healthcare provides more evidence that if a driver's license claims to implement Real-ID, it also needs assurance that it is secure.

Sources for Digital credential cards will also need certification.

  • The primary purpose of a Credential Service Provider (CSP or CP) is the provisioning of credentials or certificates that can be trusted. For example an HL7 report of a COVID-19 test is not in the form of a Verifiable Credential and is not bound to a user’s digital identifier. A CSP can be used to provide assertions for any identifier, attribute or authentication method. These can be combined on the user's smartphone to create a token containing all necessary assertions for access.


  • First there needs to be a Trust Federation with a Code of Conduct , such as this one from the CARIN alliance.
  • That code of conduct needs to be developed into a list of service criteria that can be used to evaluate the app.
  • Then a number of testing organizations need to be certified that can compare the app with the service criteria and issue a certificate of compliance.
  • The user experience design needs to describe a user journey that gives the user informed control of their own data. Testing of user reaction both before and after deployment is needed to assure that the user understands the impact of their choices.
  • The next step is to allow phone apps to validate that they meet the criteria in a Distributed Assurance Specification.
  • All of the above steps have been implemented in Healthcare IT already for the patient portals, so we have empirical evidence that it can be done and that it works.
  • The FirstNet app development program has implemented a similar program for the first responder network that can serve as a paradigm for this program.


  • All apps need to be validated before they are deployed to public web stores so that users can see which apps are certified before they are downloaded into the user's phone.


  • Visit the Instructions for getting applications certified.
  • Create an image of the code (for example an apk) and collect the supporting material inlcuding the source depot for submission to the test laboratory.
  • Submit the package to the test lab, along with answers to a few questions and prepare for a local or remote review with the architects and developers.
  • This Health Care Profile is one of the Framework Profiles that will allow developers of code and user experience to determine if their systems are compliant with the framework.
See the results from the API that a relying party web service will receive in raw json format:
Access the API output