Difference between revisions of "Mobile Driver's License Presentation"
From MgmtWiki
(→Security) |
(→Context) |
||
(44 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
==Context== | ==Context== | ||
+ | * This is a specific use case of both [[Presentation]] and the [[Presentation from a Wallet]] wiki pages. | ||
* The [https://identity.foundation/presentation-exchange/spec/v1.0.0/ DIF Presentation Exchange] is looking for test cases. This is such a test case (ie a use case with teeth). | * The [https://identity.foundation/presentation-exchange/spec/v1.0.0/ DIF Presentation Exchange] is looking for test cases. This is such a test case (ie a use case with teeth). | ||
* This use case looks at the wallet as the source of Presentation Statements, which is not necessarily the full scope of the DIF WG. | * This use case looks at the wallet as the source of Presentation Statements, which is not necessarily the full scope of the DIF WG. | ||
+ | * See wiki page [[Consent for Mobile Credentials]] to understand the conditions that must be met for consent to be meaningful. | ||
===Actors=== | ===Actors=== | ||
* Holder = The entity that submits proofs to a Verifier to satisfy the requirements described in a Presentation Definition (may or may not be the subject) | * Holder = The entity that submits proofs to a Verifier to satisfy the requirements described in a Presentation Definition (may or may not be the subject) | ||
* mDL holder = individual to whom an mDL is issued = legitimate holder of the driving privileges reflected on an mDL = subject of the mDL | * mDL holder = individual to whom an mDL is issued = legitimate holder of the driving privileges reflected on an mDL = subject of the mDL | ||
+ | * Device = smartphone or similar with a trusted wallet (in the ISO docs this is conflated with the doc that resides on the device (aka mdoc) | ||
* Verifier = The entity that defines what proofs they require from a Holder (via a Presentation Definition) in order to proceed with an interaction. | * Verifier = The entity that defines what proofs they require from a Holder (via a Presentation Definition) in order to proceed with an interaction. | ||
* mDL verifier = entity using an mDL reader to verify an mDL | * mDL verifier = entity using an mDL reader to verify an mDL | ||
* Issuing Authority = trusted signer of data elements | * Issuing Authority = trusted signer of data elements | ||
+ | * [[Trust Authority]] = TBD source of certs | ||
==Transaction== | ==Transaction== | ||
Line 22: | Line 26: | ||
{| class="wikitable" style="text-align: center;" | {| class="wikitable" style="text-align: center;" | ||
!data | !data | ||
− | + | | mDL | |
− | + | |DIF | |
− | + | |Comments | |
|- | |- | ||
!scope="row" |Encryption | !scope="row" |Encryption | ||
| Encrypting with authentication of the mdoc requests and mdoc responses protects mdoc data from eavesdropping and alteration. | | Encrypting with authentication of the mdoc requests and mdoc responses protects mdoc data from eavesdropping and alteration. | ||
− | | | + | | out-of-scope |
− | + | |it is not clear how mDL protection of alteration is meant to work | |
− | |||
− | | | ||
|- | |- | ||
!scope="row"|session keys | !scope="row"|session keys | ||
| standard ephemeral key ECDH to establish session keys | | standard ephemeral key ECDH to establish session keys | ||
− | | | + | |out-of-scope |
− | | | + | |etc... |
− | | | + | |- |
+ | !scope="row"| Reader <-> Trust authority | ||
+ | | TLS | ||
+ | | out-of-scope | ||
+ | | etc.. | ||
+ | |- | ||
+ | !scope="row" | Reader <-> Holder | ||
+ | | exchange engagement information (see below) | ||
+ | |assurances as to the provenance, identity, or status of a Presentation Definition from digital signatures may be required | ||
+ | |DIF seems to be voluntary with no way for holder to make requirements known. | ||
+ | |- | ||
+ | !scope="row" | channel | ||
+ | | off-line from device or on-line (OIDC or WebAPI) mDL reader receives the token and URL from the mDL accesses data from issuing authority | ||
+ | | on-line only -- channel left open | ||
+ | | It may be that DIF treats device-device flows as on-line | ||
+ | |- | ||
+ | !scope="row" | privacy | ||
+ | | supports selective release -- device always stays in user possession | ||
+ | | not addressed | ||
+ | | etc.. | ||
+ | |} | ||
+ | |||
+ | ===Device Engagement=== | ||
+ | {| class="wikitable" style="text-align: center;" | ||
+ | !scope="row"|data | ||
+ | |mDL | ||
+ | |DIF | ||
+ | !Comments | ||
+ | |- | ||
+ | !scope="row" |Version | ||
+ | | tstr | ||
+ | | unkown | ||
|etc... | |etc... | ||
|- | |- | ||
− | !scope="row"| | + | !scope="row"|Device and protocol information |
− | | | + | |Device, server and protocol information |
− | | | + | |not defined |
− | | | + | |This is key to trusting data from the device |
− | | | + | |- |
− | | | + | !scope="row"|Security |
− | | | + | |cipher suite and key info |
+ | | open | ||
+ | |neither checks identity or security of the device or software | ||
|} | |} | ||
==Request== | ==Request== | ||
{| class="wikitable" style="text-align: center;" | {| class="wikitable" style="text-align: center;" | ||
− | ! | + | !scope="row"|data |
− | + | |mDL | |
− | + | |DIF | |
!Comments | !Comments | ||
|- | |- | ||
!scope="row" |Device request | !scope="row" |Device request | ||
− | + | | The point of this piece is the assurance that the device is trustworthy | |
− | | | + | | Presentation Request |
− | |||
− | |||
|etc... | |etc... | ||
|- | |- | ||
!scope="row"|version | !scope="row"|version | ||
− | + | |tstr | |
− | | | + | | unknown |
− | + | |see below | |
− | |||
− | | | ||
|- | |- | ||
!scope="row"|Security | !scope="row"|Security | ||
− | | | + | |encrypted path |
− | | | + | | current draft is not clear |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
|etc.. | |etc.. | ||
|} | |} | ||
+ | |||
+ | DIF Example | ||
+ | <pre> | ||
+ | { | ||
+ | "id": "drivers_license_information", | ||
+ | "name": "Fred's Bar and Grill", | ||
+ | "purpose": "Proof of age", | ||
+ | "metadata": { | ||
+ | "client_id": "4fb540be-3a7f-0b47-bb37-3821bd766ed4", | ||
+ | "redirect_uri": "https://yourwatchful.gov/verify" | ||
+ | }, | ||
+ | "schema": [ | ||
+ | { | ||
+ | "uri": "https://yourwatchful.gov/drivers-license-schema.json", | ||
+ | "required": true | ||
+ | } | ||
+ | ], | ||
+ | "constraints": { | ||
+ | "fields": [ | ||
+ | { | ||
+ | "path": ["$.expirationDate"], | ||
+ | "filter": { | ||
+ | "type": "string", | ||
+ | "format": "date-time", | ||
+ | "min": "2020-12-31T23:59:59.000Z" | ||
+ | } | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | } | ||
+ | </pre> | ||
==Response== | ==Response== | ||
==Reference== | ==Reference== | ||
+ | * This wiki is one example of a [[Verifiable Presentation]] wiki. | ||
* [https://github.com/decentralized-identity/presentation-exchange/issues GitHub issues] of the Presentation Exchange. | * [https://github.com/decentralized-identity/presentation-exchange/issues GitHub issues] of the Presentation Exchange. | ||
Line 90: | Line 147: | ||
[[Category: Authentication]] | [[Category: Authentication]] | ||
[[Category: Assurance]] | [[Category: Assurance]] | ||
+ | [[Category: User Agent]] | ||
[[Category: Use Case]] | [[Category: Use Case]] | ||
+ | [[Category: Mobile]] |
Latest revision as of 11:11, 17 September 2024
Contents
Full Title or Meme
Mobile Driver's License Presentation maps ISO 18013-5 wallet presentation to DIF Presentation Exchange.
Context
- This is a specific use case of both Presentation and the Presentation from a Wallet wiki pages.
- The DIF Presentation Exchange is looking for test cases. This is such a test case (ie a use case with teeth).
- This use case looks at the wallet as the source of Presentation Statements, which is not necessarily the full scope of the DIF WG.
- See wiki page Consent for Mobile Credentials to understand the conditions that must be met for consent to be meaningful.
Actors
- Holder = The entity that submits proofs to a Verifier to satisfy the requirements described in a Presentation Definition (may or may not be the subject)
- mDL holder = individual to whom an mDL is issued = legitimate holder of the driving privileges reflected on an mDL = subject of the mDL
- Device = smartphone or similar with a trusted wallet (in the ISO docs this is conflated with the doc that resides on the device (aka mdoc)
- Verifier = The entity that defines what proofs they require from a Holder (via a Presentation Definition) in order to proceed with an interaction.
- mDL verifier = entity using an mDL reader to verify an mDL
- Issuing Authority = trusted signer of data elements
- Trust Authority = TBD source of certs
Transaction
- The holder and verifier establish a session
- The verifier asks for mDL data
- mDL send data by value or by reference
- The verifier may or may not request other data
- Transport can be by various NFC or QR code.
- Format is CBOR - represented here as json.
Security
data | mDL | DIF | Comments |
---|---|---|---|
Encryption | Encrypting with authentication of the mdoc requests and mdoc responses protects mdoc data from eavesdropping and alteration. | out-of-scope | it is not clear how mDL protection of alteration is meant to work |
session keys | standard ephemeral key ECDH to establish session keys | out-of-scope | etc... |
Reader <-> Trust authority | TLS | out-of-scope | etc.. |
Reader <-> Holder | exchange engagement information (see below) | assurances as to the provenance, identity, or status of a Presentation Definition from digital signatures may be required | DIF seems to be voluntary with no way for holder to make requirements known. |
channel | off-line from device or on-line (OIDC or WebAPI) mDL reader receives the token and URL from the mDL accesses data from issuing authority | on-line only -- channel left open | It may be that DIF treats device-device flows as on-line |
privacy | supports selective release -- device always stays in user possession | not addressed | etc.. |
Device Engagement
data | mDL | DIF | Comments |
---|---|---|---|
Version | tstr | unkown | etc... |
Device and protocol information | Device, server and protocol information | not defined | This is key to trusting data from the device |
Security | cipher suite and key info | open | neither checks identity or security of the device or software |
Request
data | mDL | DIF | Comments |
---|---|---|---|
Device request | The point of this piece is the assurance that the device is trustworthy | Presentation Request | etc... |
version | tstr | unknown | see below |
Security | encrypted path | current draft is not clear | etc.. |
DIF Example
{ "id": "drivers_license_information", "name": "Fred's Bar and Grill", "purpose": "Proof of age", "metadata": { "client_id": "4fb540be-3a7f-0b47-bb37-3821bd766ed4", "redirect_uri": "https://yourwatchful.gov/verify" }, "schema": [ { "uri": "https://yourwatchful.gov/drivers-license-schema.json", "required": true } ], "constraints": { "fields": [ { "path": ["$.expirationDate"], "filter": { "type": "string", "format": "date-time", "min": "2020-12-31T23:59:59.000Z" } } ] } }
Response
Reference
- This wiki is one example of a Verifiable Presentation wiki.
- GitHub issues of the Presentation Exchange.