Difference between revisions of "Mobile Driver's License"

From MgmtWiki
Jump to: navigation, search
(References)
(State Wallets)
Line 77: Line 77:
 
|-
 
|-
 
|-
 
|-
|ALABAMA AL
+
|ALABAMA|| AL
 
|-
 
|-
 
|ALASKA AK
 
|ALASKA AK
Line 139: Line 139:
 
|MONTANA MT
 
|MONTANA MT
 
|-
 
|-
|NEBRASKA NE
+
|-
NEVADA NV
+
||NEBRASKA NE
NEW HAMPSHIRE NH
+
|-
NEW JERSEY NJ
+
|NEVADA NV
NEW MEXICO NM
+
|-
NEW YORK NY
+
|NEW HAMPSHIRE NH
NORTH CAROLINA NC
+
|-
NORTH DAKOTA ND
+
|NEW JERSEY NJ
NORTHERN MARIANA ISLANDS MP
+
|-
OHIO OH
+
|NEW MEXICO NM
OKLAHOMA OK
+
|-
OREGON OR
+
|NEW YORK NY
PALAU PW
+
|-
PENNSYLVANIA PA
+
|NORTH CAROLINA NC
PUERTO RICO PR
+
|-
RHODE ISLAND RI
+
|NORTH DAKOTA ND
SOUTH CAROLINA SC
+
|-
SOUTH DAKOTA SD
+
|NORTHERN MARIANA ISLANDS MP
TENNESSEE TN
+
|-
TEXAS TX
+
|OHIO OH
UTAH UT
+
|-
VERMONT VT
+
|OKLAHOMA OK
VIRGIN ISLANDS VI
+
|-
VIRGINIA VA
+
|OREGON OR
WASHINGTON WA
+
|-
WEST VIRGINIA WV
+
|PALAU PW
WISCONSIN WI
+
|-
WYOMING WY
+
|PENNSYLVANIA PA
Province/Territory Abbreviation
+
|-
BRITISH COLUMBIA BC
+
|PUERTO RICO PR
ALBERTA AB
+
|-
SASKATCHEWAN SK
+
|RHODE ISLAND RI
MANITOBA MB
+
|-
ONTARIO ON
+
|SOUTH CAROLINA SC
QUEBEC QC
+
|-
NEW BRUNSWICK NB
+
|SOUTH DAKOTA SD
NOVA SCOTIA NS
+
|-
PRINCE EDWARD ISLAND PE
+
|TENNESSEE TN
NEWFOUNDLAND NF
+
|-
NORTHWEST TERRITORIES NT
+
|TEXAS TX
YUKON YT
+
|-
 
+
|UTAH UT
 +
|-
 +
|VERMONT VT
 +
|-
 +
|VIRGIN ISLANDS VI
 +
|-
 +
|VIRGINIA VA
 +
|-
 +
|WASHINGTON WA
 +
|-
 +
|WEST VIRGINIA WV
 +
|-
 +
|WISCONSIN WI
 +
|-
 +
|WYOMING WY
 +
|-
 +
|Province/Territory Abbreviation
 +
|-
 +
|BRITISH COLUMBIA BC
 +
|-
 +
|ALBERTA AB
 +
|-
 +
|SASKATCHEWAN SK
 +
|-
 +
|MANITOBA MB
 +
|-
 +
|ONTARIO ON
 +
|-
 +
|QUEBEC QC
 +
|-
 +
|NEW BRUNSWICK NB
 +
|-
 +
|NOVA SCOTIA NS
 +
|-
 +
|PRINCE EDWARD ISLAND PE
 +
|-
 +
|NEWFOUNDLAND NF
 +
|-
 +
|NORTHWEST TERRITORIES NT
 +
|-
 +
|YUKON YT
 
|[https://www.aamva.org/ AAMVA] ||Attribute ||driver's license || just verifies information at state Identity providers
 
|[https://www.aamva.org/ AAMVA] ||Attribute ||driver's license || just verifies information at state Identity providers
 
|-
 
|-
Line 188: Line 228:
 
|-
 
|-
 
|CHTS||Health||IT personnel||AHIMA - American Health Information Management Ass.
 
|CHTS||Health||IT personnel||AHIMA - American Health Information Management Ass.
ALABAMA AL
+
 
ALASKA AK
 
AMERICAN SAMOA AS
 
ARIZONA AZ
 
ARKANSAS AR
 
CALIFORNIA CA
 
COLORADO CO
 
CONNECTICUT CT
 
DELAWARE DE
 
DISTRICT OF COLUMBIA DC
 
FEDERATED STATES OF MICRONESIA FM
 
FLORIDA FL
 
GEORGIA GA
 
GUAM GU
 
HAWAII HI
 
IDAHO ID
 
ILLINOIS IL
 
INDIANA IN
 
IOWA IA
 
KANSAS KS
 
KENTUCKY KY
 
LOUISIANA LA
 
MAINE ME
 
MARSHALL ISLANDS MH
 
MARYLAND MD
 
MASSACHUSETTS MA
 
MICHIGAN MI
 
MINNESOTA MN
 
MISSISSIPPI MS
 
MISSOURI MO
 
MONTANA MT
 
NEBRASKA NE
 
NEVADA NV
 
NEW HAMPSHIRE NH
 
NEW JERSEY NJ
 
NEW MEXICO NM
 
NEW YORK NY
 
NORTH CAROLINA NC
 
NORTH DAKOTA ND
 
NORTHERN MARIANA ISLANDS MP
 
OHIO OH
 
OKLAHOMA OK
 
OREGON OR
 
PALAU PW
 
PENNSYLVANIA PA
 
PUERTO RICO PR
 
RHODE ISLAND RI
 
SOUTH CAROLINA SC
 
SOUTH DAKOTA SD
 
TENNESSEE TN
 
TEXAS TX
 
UTAH UT
 
VERMONT VT
 
VIRGIN ISLANDS VI
 
VIRGINIA VA
 
WASHINGTON WA
 
WEST VIRGINIA WV
 
WISCONSIN WI
 
WYOMING WY
 
Province/Territory Abbreviation
 
BRITISH COLUMBIA BC
 
ALBERTA AB
 
SASKATCHEWAN SK
 
MANITOBA MB
 
ONTARIO ON
 
QUEBEC QC
 
NEW BRUNSWICK NB
 
NOVA SCOTIA NS
 
PRINCE EDWARD ISLAND PE
 
NEWFOUNDLAND NF
 
NORTHWEST TERRITORIES NT
 
YUKON YT
 
 
[https://medicalinteroperability.org/ Center for Medical Interoperability]||Health|| Information||plug-and-play interoperability in healthcare, meaning the technologies clinicians use to take care of people can seamlessly exchange information
 
[https://medicalinteroperability.org/ Center for Medical Interoperability]||Health|| Information||plug-and-play interoperability in healthcare, meaning the technologies clinicians use to take care of people can seamlessly exchange information
 
|-
 
|-
Line 290: Line 259:
 
|W3C Credential Community Group ||Decentralized||eg Public Ledger || [https://w3c-ccg.github.io/did-spec/ DID], [https://www.w3.org/TR/verifiable-claims-data-model/ verifiable claims] sponsored by blockchain providers
 
|W3C Credential Community Group ||Decentralized||eg Public Ledger || [https://w3c-ccg.github.io/did-spec/ DID], [https://www.w3.org/TR/verifiable-claims-data-model/ verifiable claims] sponsored by blockchain providers
 
|}
 
|}
 
  
 
==References==
 
==References==

Revision as of 14:41, 4 November 2021

Full Title

User in control of a Mobile Driver's License and other apps that require high assurance control of credentials.

Context

Providers

A real mix of enterprises that might be involved in the process:

  1. Registered application provider = The AID of the mdoc consists of the registered application provider identifier (RID) ('A0 00 00 02 48') followed by the proprietary application identifier extension (PIX) (’04 00’). There is a very short non-normative descritpn of application testing in E.14.2. It is not helpful.
  2. OpenID Provider (OP) 8.3.3.2.2 configuration information comes from the issuing authority OP in a discover process.
  3. Master list Provider. The decentralized PKI trust model adopted by the mDL requires a mechanism to distribute and disseminate the set of certification authorities certificates from issuing authorities.
  4. Technology provider - provide systems and Apps for issuing authorities to issue mDLs. They appear to be entirely controlled by issuing authority, but also work the mDL verifiers to ensure privancy,

Comparison with VC & DID

Problems

State issued driver's licenses in North America have morphed into the default identity credential for residents whether by design or by circumstance. While it might seem to be helpful to try to break the problem down into the original purpose first, that is no longer an option. Even states that seek to create mobile versions of their own driver's licenses need to address the other purposes that existing legislation requires, such as control of alcohol and prescription medicines among many other existing purposes. So this section takes the practical view about what must be supported on day one of the availability of mobile state issued identification documents, aka driver's licenses.

Privacy

  1. States are sovereign, which means that they are not liable for any action where they have not accepted liability. Current practice indicates that mobile driver's licenses will only be available on smart phone apps that are supplied by the state and typically written under contract by in-state vendors. Any impact on these apps can only be enforced if the state's choose to do so. Still the states are wont to accept standards written to address these apps and so it would be good to see such standards approved for use.
  2. Organizations that accept user private information (aka PII) from the apps may be under state or federal regulations which require meaningful user consent for release. Standards should be written to define what "meaningful user consent" really means.
  3. The biometric information and signature of the holder is optionally included in the mDL. This is information that should never be released from the person that holds it as is stated in an non-normative appendix. It is meant to be used for activation (C.1.6.4), but that is not described and E.12 says that "the mDL reader may implement biometric comparison of the person presenting the mDL to the portrait." The exact meaning of that last sentence is unclear.

References.

Authenticity

  1. Apps can be created that mimic Mobile Driver's Licenses that either fool the user, or are intended to allow the user to fool the acceptor of the data. Where legal obligation exist to check the authenticity of user provided data, it is likely that apps will need to prove their authenticity to the reader. Specifications for proving authenticity should be written. Kantara currently has an implementer's draft of such an assurance statement.
  2. States are likely to require that smartphone apps meet certain criteria and a wont to accept existing specifications rather than write their own.
  3. Readers of Mobile Driver's Licenses were imagined in the ISO 18013-5 standard to be certified. Specifications for the certifications of reader that meet privacy and identity requirements are needed.
  4. In an ideal world the Mobile Driver's License would not even respond to requests for data from readers that were not certified.

Solutions

Android

Apple iOS

Testing

Connection Protocols

The language for defining the mDL is RFC 8610 CDDL. Occurrence is the one oddity. It is (1) one of the characters "?" (optional), "*" (zero or more), or "+" (one or more) or (2) of the form n*m for min and max. Also "tstr" = text string and "bstr" = byte string, and tdate is something like 1985-04-12T23:20:50.52Z.

Security

US Federal Regulations

State Wallets

  • Florida will also use Apple Wallet 2021-10-14 with a current list of all states supporting apple wallet.
  • Apple announces first states signed up to adopt driver’s licenses and state IDs in Apple Wallet 2021-09-01 Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma, and Utah are among the first states to bring state IDs and driver’s licenses in Wallet to their residents
  • A Delaware mobile ID is now a reality 2021-03-10 The app requires users to capture and upload their physical ID as well as a live selfie to compare against the individual’s file with the Delaware DMV. According to state officials, security features, including strong encryption standards, help fight identity theft. "You don't need passwords or usernames because it's based on your biometrics," said DMV spokesperson Marinah Carver. "You can not use your mobile ID without inputting either your face or your fingerprint. "We're not sharing that data with anyone else, and it can't be accessed through a third party." In addition to safety, Carver said a contactless ID as part of a digital wallet is also a healthier option in a post-COVID world. The program is voluntary and optional and by law. A person is still required to carry their physical credential as applicable for age and identity verification. "You can try it for a bit," said Carver. "If it's not for you, you can opt back out. It's certainly not a replacement at this time to your physical credential." Carver said the mobile ID has not yet been accepted in a law enforcement setting. The DVM offers apps on Apple and Android stores. It allows both a straight scan of the back of the card, or a privacy preserving one of the bar code only from the physical care or a QR code. At the user's discretion.
  • Iowa Mobile ID mID is reported by IDEMIA to be the first with UL certification 2021-03-11.
  • Award-winning myColorado™ App Offers Residents a Contactless Digital ID Colorado is the first state in the nation to offer residents the option to electronically transmit digital identification, vehicle registration and proof of insurance to law enforcement. They require the state trooper to show you a QR code first. Interestingly the feature has been extended to allow the phone's camera to scan the QR code, which indicates that the URL just sends the data from the DMV to the trooper's computer. After that the user has the option to give the cop what she wants, or dig out the paper version of all 3 documents. The business use of the mDL is a simple display of the back of the physical DL on the screen of the phone so the merchants can scan the 2d barcode in the same way as with the physical DL. It appears that Colorado was involved in app development at some level. Users add their identification in the myColorado app by taking a selfie with the in-app camera as well as a photo of their physical driver’s license or state ID. Several authentication points, including the selfie, the physical card’s bar code and the resident’s phone number are then verified against Division of Motor Vehicles records. The state government is using an identity verification and management platform from Ping Identity Holding Corp., which is based in Denver. The development of Colorado’s digital-ID application started in early 2019 and has cost about $800,000. Much of the effort has involved interacting with state agencies and merchants on features and adoption. Theresa Szczurek has been Colorado’s chief information officer since January 2020. “We discovered that proof of identification without carrying the wallet was really the killer app,” said Ms. Szczurek, who was chief executive of Radish Systems LLC for nine years before becoming state CIO in January. Radish, based in Boulder, Colo., sells software that integrates visuals into phone calls.
  • Identity Services for myColorado™ Mobile App Powered by Ping Identity report from PING dated 2019-11-12.
  • Louisiana adds vaccine status to digital driver’s License App 2021-05-07
  • NBC News reports that Calvin Fabre, president of Envoc, a software firm in Baton Rouge, Louisiana, that helped develop a mobile app to display digital driver's licenses in Louisiana, said most drivers under 40 won't go back home if they forget their plastic license — "but if they forget their phone, they always turn around." It looks like Envoc programs in .NET and Xamarin.
  • [https://www.govtech.com/news/Digital-Drivers-License-Pilot-Comes-to-Wyoming.html Wyoming is piloting a digital driver's license} base on Gemalto technology. (2017-10-05) for only 100 people. The app isn’t connected to the Internet, so there’s virtually no risk of someone tracking a user’s whereabouts or personal information based on when they open the license, said Steve Purdy, Gemalto’s vice president of state government programs. In order to enter the app, people have to enter a five-digit password or use fingerprint identification. “All it does is show your photo and whether or not you’re 21,” Purdy said. Gemalto provides the existing card license to WY.
  • Ontario program with potential to eliminate our need to carry around physical health cards, driver's licenses and other forms of provincially-issued ID. blogTO (2020-11)


Note that some of these organizations are just associations of large Enterprises.

State Code Provider Notes
ALABAMA AL
ALASKA AK
AMERICAN SAMOA AS
ARIZONA AZ
ARKANSAS AR
CALIFORNIA CA
COLORADO CO
CONNECTICUT CT
DELAWARE DE
DISTRICT OF COLUMBIA DC
FEDERATED STATES OF MICRONESIA FM
FLORIDA FL
GEORGIA GA
GUAM GU
HAWAII HI

I|-

DAHO ID

I|-

LLINOIS IL

I|-

NDIANA IN

I|-

OWA IA
KANSAS KS
KENTUCKY KY

L|-

OUISIANA LA
MAINE ME
MARSHALL ISLANDS MH
MARYLAND MD
MASSACHUSETTS MA
MICHIGAN MI
MINNESOTA MN
MISSISSIPPI MS
MISSOURI MO
MONTANA MT
NEBRASKA NE
NEVADA NV
NEW HAMPSHIRE NH
NEW JERSEY NJ
NEW MEXICO NM
NEW YORK NY
NORTH CAROLINA NC
NORTH DAKOTA ND
NORTHERN MARIANA ISLANDS MP
OHIO OH
OKLAHOMA OK
OREGON OR
PALAU PW
PENNSYLVANIA PA
PUERTO RICO PR
RHODE ISLAND RI
SOUTH CAROLINA SC
SOUTH DAKOTA SD
TENNESSEE TN
TEXAS TX
UTAH UT
VERMONT VT
VIRGIN ISLANDS VI
VIRGINIA VA
WASHINGTON WA
WEST VIRGINIA WV
WISCONSIN WI
WYOMING WY
Province/Territory Abbreviation
BRITISH COLUMBIA BC
ALBERTA AB
SASKATCHEWAN SK
MANITOBA MB
ONTARIO ON
QUEBEC QC
NEW BRUNSWICK NB
NOVA SCOTIA NS
PRINCE EDWARD ISLAND PE
NEWFOUNDLAND NF
NORTHWEST TERRITORIES NT
YUKON YT AAMVA Attribute driver's license just verifies information at state Identity providers
Better ID Coalition Large US financial companies issued a Report
CAHIMS CPHIMS Health IT personnel HIMMS - CAHIMS directed to IT professionals, CPHIMS management
CHTS Health IT personnel AHIMA - American Health Information Management Ass.

Center for Medical Interoperability||Health|| Information||plug-and-play interoperability in healthcare, meaning the technologies clinicians use to take care of people can seamlessly exchange information

Center for Cybersecurity Policy Security Infrastructure
Certified EHR Tech Health Clerk? CMS.gov - seems to just be standards
Certified healthcare constructor Health Clerk? American Hospital Assoc.
Distributed ID One hundred point of identity
Electronic Health Record Health Clerk? AMCA - may be for profit?
FIDO Alliance UAF U2F Fast ID Online 1.2 specs dtd 2017
Kantata Initiative Federations UMA also Consent Receipt and IDEF
HCISPP Health IT personnel focus on medical records, compliance officer and security or risk management
HL7 Health unclear knows about FHIR?
OpenID Foundation AuthN+AuthZ OpenID Connect OpenID Foundation
RHIA RHIT Health IT personnel AHIMA
SAML 2.0 AuthN SAML2 OASIS-open.org original Single Sign-On standard
TSCP Transglobal Secure Collaboration Participation is a collaborative forum of worldwide stakeholders in the defense industry to address security issues
W3C Credential Community Group Decentralized eg Public Ledger DID, verifiable claims sponsored by blockchain providers

References