Identifier Standards

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

This page is about the relationship among standards that are used for creating Identifier Documents.

Context

  • Some of this material was taken from a posting by Kristina Yasuda.
    Because many have been asking and I think it will be useful) Sending out a summary of a relationship/status between ISO mDL/eID (Mobile Driver's License/electronic ID) standards and OpenID Connect Core and SIOPv2/OIDC4VP/OpenID4CI specifications family.
  • ISO/IEC 18013 series focus on mobile Driving Licence only. -5, -7 are numbers of separate specifications within the same series, not the version numbers. 18013 series is what enabled international driving license ecosystem in the first place (if you ever had a paper international driving license, that’s 18013!).
  • ISO/IEC 23220 series focus on mobile eID Documents, which are more general than just Driving Licenses. The series is generally referred to as “building blocks” that implementor can choose from, in comparison to 18013-5 that has mandatory to implement features that ensures that compliant implementations are interoperable by default. 23220-1 is in international standards track about to be published, while others in the series are in technical standards track still in the Working Draft stage.

Relationships among the Specifications

  • ISO/IEC 18013-5 lists OpenID Connect Core as a normative reference. End-User can present an mDL over BLE/NFC, directly to the RP, or it can also give RP a token over BLE/NFC that RP can exchange with an authorization code to obtain an mDL from the Issuing Authority using OpenID Connect authorization code flow.
    • Privacy groups have criticized the use of OpenID Connect Core in 18013-5 as being not privacy preserving because it is an “issuer call home” compared to a direct interaction between an End-User and the RP without RP talking directly to the Issuer. See that wiki page for some of the problems that could create.
    • Many of the US states and Canadian provencies are calling the 18013-5 documents mobile IDs and including a variety of licenses on the "mID".
    • The US TSA was accepting AZ mDL documents at Sky Harbor airport for Identity in early 2022. Here is a report on TSA progress as of 2022-10-03.
  • Now to each specification in 23220 series
    • 23220-1 defines generic system architectures of mobile eID-Systems i.e., enumerating interfaces between various entities involved in issuance/presentation. No reference to OIDC.
    • 23220-2 defines a data model of mobile eID-Systems. It includes CDDL data model using Mobile Security Object (MSO) from 18013-5, but also includes JSON-encoding of MSO and examples of mapping MSO to W3C Verifiable Credentials and Verifiable Presentations.
    • 23220-3 defines an issuance/provisioning flow of mobile eID-Systems. There are ongoing discussions of potentially including OpenID for Credential Issuance specification here
    • 23220-4 defines a presentation flow of mobile eID-Systems. It includes device engagement (NFC/BLE) and server engagement (OIDC) from 18013-5 but also includes SIOP/OIDC4VP as a way to transport credentials over the Internet (HTTP).
  • ISO/IEC 18013-7 will largely rely on 23220-4. And the goal would be to include SIOP/OIDC4VP as one of the options for mDL over the Internet, but the conversations are just starting.

References