Difference between revisions of "Identifier Standards"
(Created page with "==Full Title or Meme== This page is about the relationship between standards that are used for creating Identifier Documents. ==Context== * Some of this material was taken fr...")
Revision as of 18:25, 3 May 2022
Full Title or Meme
This page is about the relationship between standards that are used for creating Identifier Documents.
- Some of this material was taken from a posting by Kristina
(because many have been asking and I think it will be useful) Sending out a summary of a relationship/status between ISO mDL/eID (mobile Driving Licence/electronic ID) standards and OpenID Connect Core and SIOPv2/OIDC4VP/OpenID4CI specifications family, which has been long overdue.
First, to set the context:
ISO/IEC 18013 series focus on mobile Driving Licence only. -5, -7 are numbers of separate specifications within the same series, not the version numbers. 18013 series is what enabled international driving licence ecosystem in the first place (if you ever had a paper international driving licence, that’s 18013!). o 18013-5 focuses on “attended” mDL presentation, meaning the End-User presents mDL to the RP (mDL reader in ISO terms) in-person, but using a digital representation of a driving licence. It is a published international standard available for purchase here: https://www.iso.org/standard/69084.html
o 18013-7 focuses on “unattended” mDL presentation, where the End-User can present mDL to the RP “over the Internet” aka HTTP/WebSocket, etc. It is WIP, not published yet, and not on international standard track, but a technical specification track, which allow the timeframe to be a little faster: https://www.iso.org/standard/82772.html. The first Working Draft is WIP.
o Issuance is out of scope for both
ISO/IEC 23220 series focus on mobile eID Documents, which are more general than just Driving Licences. The series is generally referred to as “building blocks” that implementor can choose from, in comparison to 18013-5 that has mandatory to implement features that ensures that compliant implementations are interoperable by default. 23220-1 is in international standards track about to be published, while others in the series are in technical standards track still in the Working Draft stage.
Now to the relationship between ISO and OIDC specifications:
ISO/IEC 18013-5 lists OpenID Connect Core as a normative reference. End-User can present an mDL over BLE/NFC, directly to the RP, or it can also give RP a token over BLE/NFC that RP can exchange with an authorization code to obtain an mDL from the Issuing Authority using OpenID Connect authorization code flow. Privacy groups have criticized the use of OpenID Connect Core in 18013-5 as being not privacy preserving because it is an “issuer call home” compared to a direct interaction between an End-User and the RP without RP talking directly to the Issuer Now to each specification in 23220 series 23220-1 defines generic system architectures of mobile eID-Systems ie enumerating interfaces between various entities involved in issuance/presentation. No reference to OIDC. 23220-2 defines a data model of mobile eID-Systems. It includes CDDL data model using Mobile Security Object (MSO) from 18013-5, but also includes JSON-encoding of MSO and examples of mapping MSO to W3C Verifiable Credentials and Verifiable Presentations. 23220-3 defines an issuance/provisioning flow of mobile eID-Systems. There are ongoing discussions of potentially including OpenID for Credential Issuance specification here 23220-4 defines a presentation flow of mobile eID-Systems. It includes device engagement (NFC/BLE) and server engagement (OIDC) from 18013-5 but also includes SIOP/OIDC4VP as a way to transport credentials over the Internet (HTTP). ISO/IEC 18013-7 will largely rely on 23220-4. And the goal would be to include SIOP/OIDC4VP as one of the options for mDL over the Internet, but the conversations are just starting.