- From: Andrew Hughes <andrewhughes3000@gmail.com>
- Date: Tue, 7 Dec 2021 10:07:49 -0800
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAGJp9Ub5VKF3spZ24ES8LnXEjaTJJbM0xgrh7i0byGXq5Lhoug@mail.gmail.com>
Hi Manu et al - thanks for this work. I'm working through the material and comparing to the ISO WG 18013-5 work. I can see very good coverage of the core mDL data model (the list of data elements in ISO 18013-5) in this work. The part that appears to be not covered here is the protocol-related clauses and the data integrity and "mdoc authentication" using the Mobile Security Object (MSO). While the MSO is technically not inside the data model in 18013-5 it is required in order for the verifier to confirm data integrity per-data-element. In 18013-5 there is a procedure in the Security Mechanisms clause that describes the steps a Verifier must perform in order to confirm data integrity and issuer of each data element. This is for 'server retrieval' mode and uses JWT/JWS for data integrity. I realize that the VC approach in this work is not the same - but how should we accommodate issuers who want or need to use the 18013-5 MSO security approach? Verifiers following the 18013-5 verification approach will be expecting to get an MSO for processing. This is the biggest item that I continue to struggle to conceptualize (even before this work was circulated) - whether the MSO approach is fundamental to the concept of Mobile Driving License, or if that's just one approach to data integrity etc. And whether any other equivalent proof mechanism is acceptable for conformity to 18013-5 (which is what Issuers are likely to demand of any vendor/app) andrew. ———————— *Andrew Hughes *CISM CISSP m +1 250.888.9474 AndrewHughes3000@gmail.com >
Received on Tuesday, 7 December 2021 18:09:14 UTC