Identifier Standards
From MgmtWiki
Full Title or Meme
This page is about the relationship among standards that are used for creating Identifier Documents.
Context
- Some of this material was taken from a posting by Kristina Yasuda.
Because many have been asking and I think it will be useful) Sending out a summary of a relationship/status between ISO mDL/eID (Mobile Driver's License/electronic ID) standards and OpenID Connect Core and SIOPv2/OIDC4VP/OpenID4CI specifications family.
- ISO/IEC 18013 series focus on mobile Driving Licence only. -5, -7 are numbers of separate specifications within the same series, not the version numbers. 18013 series is what enabled international driving license ecosystem in the first place (if you ever had a paper international driving license, that’s 18013!).
- 18013-5 focuses on “attended” mDL presentation, meaning the End-User presents mDL to the RP (mDL reader in ISO terms) in-person, but using a digital representation of a driving license. It is a published international standard available for purchase here: https://www.iso.org/standard/69084.html
- It is illegal to charge for standards that are used in federal regulations. As a result, the following finding was published which gives access to the document to residents of the US for no charge. https://www.federalregister.gov/documents/2021/09/16/2021-19812/notification-of-document-availability-and-reopening-of-comment-period-on-request-for-information
- 18013-7 focuses on “unattended” mDL presentation, where the End-User can present mDL to the RP “over the Internet” aka HTTP/WebSocket, etc. It is WIP, not published yet, and not on international standard track, but a technical specification track, which allow the timeframe to be a little faster: https://www.iso.org/standard/82772.html. The first Working Draft is WIP.
- Issuance is out of scope for both except with respect to the Trust Registry (lately called a VICAL) which is defined in great detail.
- 18013-5 focuses on “attended” mDL presentation, meaning the End-User presents mDL to the RP (mDL reader in ISO terms) in-person, but using a digital representation of a driving license. It is a published international standard available for purchase here: https://www.iso.org/standard/69084.html
- ISO/IEC 23220 series focus on mobile eID Documents, which are more general than just Driving Licenses. The series is generally referred to as “building blocks” that implementor can choose from, in comparison to 18013-5 that has mandatory to implement features that ensures that compliant implementations are interoperable by default. 23220-1 is in international standards track about to be published, while others in the series are in technical standards track still in the Working Draft stage.
Relationships among the Specifications
- ISO/IEC 18013-5 lists OpenID Connect Core as a normative reference. End-User can present an mDL over BLE/NFC, directly to the RP, or it can also give RP a token over BLE/NFC that RP can exchange with an authorization code to obtain an mDL from the Issuing Authority using OpenID Connect authorization code flow.
- Privacy groups have criticized the use of OpenID Connect Core in 18013-5 as being not privacy preserving because it is an “issuer call home” compared to a direct interaction between an End-User and the RP without RP talking directly to the Issuer. See that wiki page for some of the problems that could create.
- Many of the US states and Canadian provencies are calling the 18013-5 documents mobile IDs and including a variety of licenses on the "mID".
- The US TSA was accepting AZ mDL documents at Sky Harbor airport for Identity in early 2022. Here is a report on TSA progress as of 2022-10-03.
- Now to each specification in 23220 series
- 23220-1 defines generic system architectures of mobile eID-Systems i.e., enumerating interfaces between various entities involved in issuance/presentation. No reference to OIDC.
- 23220-2 defines a data model of mobile eID-Systems. It includes CDDL data model using Mobile Security Object (MSO) from 18013-5, but also includes JSON-encoding of MSO and examples of mapping MSO to W3C Verifiable Credentials and Verifiable Presentations.
- 23220-3 defines an issuance/provisioning flow of mobile eID-Systems. There are ongoing discussions of potentially including OpenID for Credential Issuance specification here
- 23220-4 defines a presentation flow of mobile eID-Systems. It includes device engagement (NFC/BLE) and server engagement (OIDC) from 18013-5 but also includes SIOP/OIDC4VP as a way to transport credentials over the Internet (HTTP).
- ISO/IEC 18013-7 will largely rely on 23220-4. And the goal would be to include SIOP/OIDC4VP as one of the options for mDL over the Internet, but the conversations are just starting.