Difference between revisions of "Mobile Driver's License Presentation"

From MgmtWiki
Jump to: navigation, search
(Security)
(Context)
 
(37 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
==Context==
 
==Context==
 +
* This is a specific use case of both [[Presentation]] and the [[Presentation from a Wallet]] wiki pages.
 
* The  [https://identity.foundation/presentation-exchange/spec/v1.0.0/ DIF Presentation Exchange] is looking for test cases. This is such a test case (ie a use case with teeth).
 
* The  [https://identity.foundation/presentation-exchange/spec/v1.0.0/ DIF Presentation Exchange] is looking for test cases. This is such a test case (ie a use case with teeth).
 
* This use case looks at the wallet as the source of Presentation Statements, which is not necessarily the full scope of the DIF WG.
 
* This use case looks at the wallet as the source of Presentation Statements, which is not necessarily the full scope of the DIF WG.
 +
* See wiki page [[Consent for Mobile Credentials]] to understand the conditions that must be met for consent to be meaningful.
 
===Actors===
 
===Actors===
 
* Holder = The entity that submits proofs to a Verifier to satisfy the requirements described in a Presentation Definition (may or may not be the subject)
 
* Holder = The entity that submits proofs to a Verifier to satisfy the requirements described in a Presentation Definition (may or may not be the subject)
Line 12: Line 14:
 
* mDL verifier = entity using an mDL reader to verify an mDL
 
* mDL verifier = entity using an mDL reader to verify an mDL
 
* Issuing Authority = trusted signer of data elements
 
* Issuing Authority = trusted signer of data elements
* Trust Authority = TBD source of certs
+
* [[Trust Authority]] = TBD source of certs
  
 
==Transaction==
 
==Transaction==
Line 30: Line 32:
 
!scope="row" |Encryption
 
!scope="row" |Encryption
 
| Encrypting with authentication of the mdoc requests and mdoc responses protects mdoc data from eavesdropping and alteration.
 
| Encrypting with authentication of the mdoc requests and mdoc responses protects mdoc data from eavesdropping and alteration.
| 1 byte (CBOR data item header)
+
| out-of-scope
|etc...
+
|it is not clear how mDL protection of alteration is meant to work
 
|-
 
|-
 
!scope="row"|session keys
 
!scope="row"|session keys
 
| standard ephemeral key ECDH to establish session keys
 
| standard ephemeral key ECDH to establish session keys
|Additional information
+
|out-of-scope
|Payload length (optional)
+
|etc...
|Data payload (optional)
+
|-
 +
!scope="row"| Reader <-> Trust authority
 +
| TLS
 +
| out-of-scope
 +
| etc..
 +
|-
 +
!scope="row" | Reader <-> Holder
 +
| exchange engagement information (see below)
 +
|assurances as to the provenance, identity, or status of a Presentation Definition from digital signatures may be required
 +
|DIF seems to be voluntary with no way for holder to make requirements known.
 +
|-
 +
!scope="row" | channel
 +
| off-line from device or on-line (OIDC or WebAPI) mDL reader receives the token and URL from the mDL accesses data from issuing authority
 +
| on-line only -- channel left open
 +
| It may be that DIF treats device-device flows as on-line
 +
|-
 +
!scope="row" | privacy
 +
| supports selective release -- device always stays in user possession
 +
| not addressed
 +
| etc..
 +
|}
 +
 
 +
===Device Engagement===
 +
{| class="wikitable" style="text-align: center;"
 +
!scope="row"|data
 +
|mDL
 +
|DIF
 +
!Comments
 +
|-
 +
!scope="row" |Version
 +
| tstr
 +
| unkown
 
|etc...
 
|etc...
 
|-
 
|-
| Reader <-> Trust authority | TLS | 3 Bits | etc..
+
!scope="row"|Device and protocol information
 +
|Device, server and protocol information
 +
|not defined
 +
|This is key to trusting data from the device
 
|-
 
|-
!scope="row" | Reader <-> Holder|n/a|assurances as to the provenance, identity, or status of a Presentation Definition from digital signatures may be required|etc..
+
!scope="row"|Security
 +
|cipher suite and key info
 +
| open
 +
|neither checks identity or security of the device or software
 
|}
 
|}
  
 
==Request==
 
==Request==
 
{| class="wikitable" style="text-align: center;"
 
{| class="wikitable" style="text-align: center;"
!data|mDL|DIF!Comments
+
!scope="row"|data
 +
|mDL
 +
|DIF
 +
!Comments
 
|-
 
|-
 
!scope="row" |Device request
 
!scope="row" |Device request
Line 54: Line 96:
 
|etc...
 
|etc...
 
|-
 
|-
!scope="row"|version|tstr
+
!scope="row"|version
|Additional information
+
|tstr
|Payload length (optional)
+
| unknown
|Data payload (optional)
+
|see below
|etc...
 
 
|-
 
|-
 
!scope="row"|Security
 
!scope="row"|Security
|3 Bits
+
|encrypted path
|5 Bits
+
| current draft is not clear
 
 
 
|etc..
 
|etc..
 
|}
 
|}
 +
 +
DIF Example
 +
<pre>
 +
{
 +
  "id": "drivers_license_information",
 +
  "name": "Fred's Bar and Grill",
 +
  "purpose": "Proof of age",
 +
  "metadata": {
 +
    "client_id": "4fb540be-3a7f-0b47-bb37-3821bd766ed4",
 +
    "redirect_uri": "https://yourwatchful.gov/verify"
 +
  },
 +
  "schema": [
 +
    {
 +
      "uri": "https://yourwatchful.gov/drivers-license-schema.json",
 +
      "required": true
 +
    }
 +
  ],
 +
  "constraints": {
 +
    "fields": [
 +
      {
 +
        "path": ["$.expirationDate"],
 +
        "filter": {
 +
          "type": "string",
 +
          "format": "date-time",
 +
          "min": "2020-12-31T23:59:59.000Z"
 +
        }
 +
      }
 +
    ]
 +
  }
 +
}
 +
</pre>
  
 
==Response==
 
==Response==
  
 
==Reference==
 
==Reference==
 +
* This wiki is one example of a [[Verifiable Presentation]] wiki.
 
* [https://github.com/decentralized-identity/presentation-exchange/issues GitHub issues] of the Presentation Exchange.
 
* [https://github.com/decentralized-identity/presentation-exchange/issues GitHub issues] of the Presentation Exchange.
  
Line 75: Line 147:
 
[[Category: Authentication]]
 
[[Category: Authentication]]
 
[[Category: Assurance]]
 
[[Category: Assurance]]
 +
[[Category: User Agent]]
 
[[Category: Use Case]]
 
[[Category: Use Case]]
 +
[[Category: Mobile]]

Latest revision as of 11:11, 17 September 2024

Full Title or Meme

Mobile Driver's License Presentation maps ISO 18013-5 wallet presentation to DIF Presentation Exchange.

Context

Actors

  • Holder = The entity that submits proofs to a Verifier to satisfy the requirements described in a Presentation Definition (may or may not be the subject)
  • mDL holder = individual to whom an mDL is issued = legitimate holder of the driving privileges reflected on an mDL = subject of the mDL
  • Device = smartphone or similar with a trusted wallet (in the ISO docs this is conflated with the doc that resides on the device (aka mdoc)
  • Verifier = The entity that defines what proofs they require from a Holder (via a Presentation Definition) in order to proceed with an interaction.
  • mDL verifier = entity using an mDL reader to verify an mDL
  • Issuing Authority = trusted signer of data elements
  • Trust Authority = TBD source of certs

Transaction

  1. The holder and verifier establish a session
  2. The verifier asks for mDL data
  3. mDL send data by value or by reference
  4. The verifier may or may not request other data
  • Transport can be by various NFC or QR code.
  • Format is CBOR - represented here as json.

Security

data mDL DIF Comments
Encryption Encrypting with authentication of the mdoc requests and mdoc responses protects mdoc data from eavesdropping and alteration. out-of-scope it is not clear how mDL protection of alteration is meant to work
session keys standard ephemeral key ECDH to establish session keys out-of-scope etc...
Reader <-> Trust authority TLS out-of-scope etc..
Reader <-> Holder exchange engagement information (see below) assurances as to the provenance, identity, or status of a Presentation Definition from digital signatures may be required DIF seems to be voluntary with no way for holder to make requirements known.
channel off-line from device or on-line (OIDC or WebAPI) mDL reader receives the token and URL from the mDL accesses data from issuing authority on-line only -- channel left open It may be that DIF treats device-device flows as on-line
privacy supports selective release -- device always stays in user possession not addressed etc..

Device Engagement

data mDL DIF Comments
Version tstr unkown etc...
Device and protocol information Device, server and protocol information not defined This is key to trusting data from the device
Security cipher suite and key info open neither checks identity or security of the device or software

Request

data mDL DIF Comments
Device request The point of this piece is the assurance that the device is trustworthy Presentation Request etc...
version tstr unknown see below
Security encrypted path current draft is not clear etc..

DIF Example

{
  "id": "drivers_license_information",
  "name": "Fred's Bar and Grill",
  "purpose": "Proof of age",
  "metadata": {
    "client_id": "4fb540be-3a7f-0b47-bb37-3821bd766ed4",
    "redirect_uri": "https://yourwatchful.gov/verify"
  },
  "schema": [
    {
      "uri": "https://yourwatchful.gov/drivers-license-schema.json",
      "required": true
    }
  ],
  "constraints": {
    "fields": [
      {
        "path": ["$.expirationDate"],
        "filter": {
          "type": "string",
          "format": "date-time",
          "min": "2020-12-31T23:59:59.000Z"
        }
      }
    ]
  }
}

Response

Reference