Difference between revisions of "Mobile Driver's License"

Revision as of 15:41, 4 November 2021

Full Title

User in control of a Mobile Driver's License and other apps that require high assurance control of credentials.

Context

• iPhone and Android solutions also have NFC, QR, Bluetooth, Wifi Aware and Barcode readers technology thoroughly functional
• The wiki page Smartphone Wireless contains information about the various radio bands used by mDL.

Providers

A real mix of enterprises that might be involved in the process:

1. Registered application provider = The AID of the mdoc consists of the registered application provider identifier (RID) ('A0 00 00 02 48') followed by the proprietary application identifier extension (PIX) (’04 00’). There is a very short non-normative descritpn of application testing in E.14.2. It is not helpful.
2. OpenID Provider (OP) 8.3.3.2.2 configuration information comes from the issuing authority OP in a discover process.
3. Master list Provider. The decentralized PKI trust model adopted by the mDL requires a mechanism to distribute and disseminate the set of certification authorities certificates from issuing authorities.
4. Technology provider - provide systems and Apps for issuing authorities to issue mDLs. They appear to be entirely controlled by issuing authority, but also work the mDL verifiers to ensure privancy,

Comparison with VC & DID

• From UL https://difdn.slack.com/files/U01M7L5AJQ0/F02FETU43DZ/cs676613_-_digital_credentials_promotion_campaign-white_paper-digital.pdf?origin_team=T4VKPCU00&origin_channel=C4WED8JSH

Problems

State issued driver's licenses in North America have morphed into the default identity credential for residents whether by design or by circumstance. While it might seem to be helpful to try to break the problem down into the original purpose first, that is no longer an option. Even states that seek to create mobile versions of their own driver's licenses need to address the other purposes that existing legislation requires, such as control of alcohol and prescription medicines among many other existing purposes. So this section takes the practical view about what must be supported on day one of the availability of mobile state issued identification documents, aka driver's licenses.

Privacy

1. States are sovereign, which means that they are not liable for any action where they have not accepted liability. Current practice indicates that mobile driver's licenses will only be available on smart phone apps that are supplied by the state and typically written under contract by in-state vendors. Any impact on these apps can only be enforced if the state's choose to do so. Still the states are wont to accept standards written to address these apps and so it would be good to see such standards approved for use.
2. Organizations that accept user private information (aka PII) from the apps may be under state or federal regulations which require meaningful user consent for release. Standards should be written to define what "meaningful user consent" really means.
3. The biometric information and signature of the holder is optionally included in the mDL. This is information that should never be released from the person that holds it as is stated in an non-normative appendix. It is meant to be used for activation (C.1.6.4), but that is not described and E.12 says that "the mDL reader may implement biometric comparison of the person presenting the mDL to the portrait." The exact meaning of that last sentence is unclear.

References.

• ACLU urges hard questions on mDLs to protect digital ID privacy (2021-05-19)
• Privacy-preserving features in the Mobile Driving License 2020-10-28 David Zeuthen + 2 (Android Security and Privacy team)

Authenticity

1. Apps can be created that mimic Mobile Driver's Licenses that either fool the user, or are intended to allow the user to fool the acceptor of the data. Where legal obligation exist to check the authenticity of user provided data, it is likely that apps will need to prove their authenticity to the reader. Specifications for proving authenticity should be written. Kantara currently has an implementer's draft of such an assurance statement.
2. States are likely to require that smartphone apps meet certain criteria and a wont to accept existing specifications rather than write their own.
3. Readers of Mobile Driver's Licenses were imagined in the ISO 18013-5 standard to be certified. Specifications for the certifications of reader that meet privacy and identity requirements are needed.
4. In an ideal world the Mobile Driver's License would not even respond to requests for data from readers that were not certified.

Solutions

Android

• Android JetPack support for Identity Credential Security with example code.
• Privacy Preserving Features in mDL (2020-10-28) from the Android Security and Privacy team.
• Android Identity Credential Investigating provisioning compatible with 23220-3 David Zeuthen 2021-05-05

Apple iOS

• iOS NFC for Mobile ID and Mobile Driver License transactions fully supported by Scytáles AB
• Apple announced availability of mDL in late 2021 on 2021-06-07.
• Also see announcement on 2021-09-01 in the section on state wallets below.

Testing

• Interoperability of a Mobile Driver License (mDL) application UL conformance tests

Connection Protocols

The language for defining the mDL is RFC 8610 CDDL. Occurrence is the one oddity. It is (1) one of the characters "?" (optional), "*" (zero or more), or "+" (one or more) or (2) of the form n*m for min and max. Also "tstr" = text string and "bstr" = byte string, and tdate is something like 1985-04-12T23:20:50.52Z.

• Mobile Driver's License with Reader
• Mobile Driver's License with OIDC
• Mobile Driver's License with WebAPI

Security

• Dangerous Conditions Ahead: Navigating Security Issues in Mobile Identity from UL
• C.1.6.5 purports to explain computer security controls without any regard for Zero trust principles. Somehow the network is considered secure if the router is in a locked closet, but the wifi or BLE will be visible to everyone.

US Federal Regulations

• Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver's Licenses Federal Register 2021-04-19
• Notification of Document Availability and Reopening of Comment Period on Request for Information: Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver's Licenses A Proposed Rule by the Homeland Security Department on 09/16/2021 that includes access to ISO 18013-5 via ANSI.

State Wallets

• Florida will also use Apple Wallet 2021-10-14 with a current list of all states supporting apple wallet.
• Apple announces first states signed up to adopt driver’s licenses and state IDs in Apple Wallet 2021-09-01 Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma, and Utah are among the first states to bring state IDs and driver’s licenses in Wallet to their residents
• A Delaware mobile ID is now a reality 2021-03-10 The app requires users to capture and upload their physical ID as well as a live selfie to compare against the individual’s file with the Delaware DMV. According to state officials, security features, including strong encryption standards, help fight identity theft. "You don't need passwords or usernames because it's based on your biometrics," said DMV spokesperson Marinah Carver. "You can not use your mobile ID without inputting either your face or your fingerprint. "We're not sharing that data with anyone else, and it can't be accessed through a third party." In addition to safety, Carver said a contactless ID as part of a digital wallet is also a healthier option in a post-COVID world. The program is voluntary and optional and by law. A person is still required to carry their physical credential as applicable for age and identity verification. "You can try it for a bit," said Carver. "If it's not for you, you can opt back out. It's certainly not a replacement at this time to your physical credential." Carver said the mobile ID has not yet been accepted in a law enforcement setting. The DVM offers apps on Apple and Android stores. It allows both a straight scan of the back of the card, or a privacy preserving one of the bar code only from the physical care or a QR code. At the user's discretion.
• Iowa Mobile ID mID is reported by IDEMIA to be the first with UL certification 2021-03-11.
• Award-winning myColorado™ App Offers Residents a Contactless Digital ID Colorado is the first state in the nation to offer residents the option to electronically transmit digital identification, vehicle registration and proof of insurance to law enforcement. They require the state trooper to show you a QR code first. Interestingly the feature has been extended to allow the phone's camera to scan the QR code, which indicates that the URL just sends the data from the DMV to the trooper's computer. After that the user has the option to give the cop what she wants, or dig out the paper version of all 3 documents. The business use of the mDL is a simple display of the back of the physical DL on the screen of the phone so the merchants can scan the 2d barcode in the same way as with the physical DL. It appears that Colorado was involved in app development at some level. Users add their identification in the myColorado app by taking a selfie with the in-app camera as well as a photo of their physical driver’s license or state ID. Several authentication points, including the selfie, the physical card’s bar code and the resident’s phone number are then verified against Division of Motor Vehicles records. The state government is using an identity verification and management platform from Ping Identity Holding Corp., which is based in Denver. The development of Colorado’s digital-ID application started in early 2019 and has cost about $800,000. Much of the effort has involved interacting with state agencies and merchants on features and adoption. Theresa Szczurek has been Colorado’s chief information officer since January 2020. “We discovered that proof of identification without carrying the wallet was really the killer app,” said Ms. Szczurek, who was chief executive of Radish Systems LLC for nine years before becoming state CIO in January. Radish, based in Boulder, Colo., sells software that integrates visuals into phone calls.
• Identity Services for myColorado™ Mobile App Powered by Ping Identity report from PING dated 2019-11-12.
• Louisiana adds vaccine status to digital driver’s License App 2021-05-07
• NBC News reports that Calvin Fabre, president of Envoc, a software firm in Baton Rouge, Louisiana, that helped develop a mobile app to display digital driver's licenses in Louisiana, said most drivers under 40 won't go back home if they forget their plastic license — "but if they forget their phone, they always turn around." It looks like Envoc programs in .NET and Xamarin.
• [https://www.govtech.com/news/Digital-Drivers-License-Pilot-Comes-to-Wyoming.html Wyoming is piloting a digital driver's license} base on Gemalto technology. (2017-10-05) for only 100 people. The app isn’t connected to the Internet, so there’s virtually no risk of someone tracking a user’s whereabouts or personal information based on when they open the license, said Steve Purdy, Gemalto’s vice president of state government programs. In order to enter the app, people have to enter a five-digit password or use fingerprint identification. “All it does is show your photo and whether or not you’re 21,” Purdy said. Gemalto provides the existing card license to WY.
• Ontario program with potential to eliminate our need to carry around physical health cards, driver's licenses and other forms of provincially-issued ID. blogTO (2020-11)

Note that some of these organizations are just associations of large Enterprises.

References

• IDESG / Kantara wiki on mDL
• Mobile Driver's License Presentation maps ISO 18013-5 wallet presentation to DIF Presentation Exchange.
• Get Group works with Scytáles AB (see link above under apple).
• GET Group Mobile Driver's License
• The Mobile Driver’s License (mDL) and Ecosystem Secure Technology Alliance 2020-03