W3C home > Mailing lists > Public > public-credentials@w3.org > December 2021

Re: Verifiable Driver's Licenses and ISO-18013-5 (mDL)

From: Andrew Hughes <andrewhughes3000@gmail.com>
Date: Tue, 7 Dec 2021 10:07:49 -0800
Message-ID: <CAGJp9Ub5VKF3spZ24ES8LnXEjaTJJbM0xgrh7i0byGXq5Lhoug@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
Hi Manu et al - thanks for this work.

I'm working through the material and comparing to the ISO WG 18013-5 work.
I can see very good coverage of the core mDL data model (the list of data
elements in ISO 18013-5) in this work.

The part that appears to be not covered here is the protocol-related
clauses and the data integrity and "mdoc authentication" using the Mobile
Security Object (MSO). While the MSO is technically not inside the data
model in 18013-5 it is required in order for the verifier to confirm data
integrity per-data-element.
In 18013-5 there is a procedure in the Security Mechanisms clause that
describes the steps a Verifier must perform in order to confirm data
integrity and issuer of each data element. This is for 'server retrieval'
mode and uses JWT/JWS for data integrity.

I realize that the VC approach in this work is not the same - but how
should we accommodate issuers who want or need to use the 18013-5 MSO
security approach?
Verifiers following the 18013-5 verification approach will be expecting to
get an MSO for processing.
This is the biggest item that I continue to struggle to conceptualize (even
before this work was circulated) - whether the MSO approach is fundamental
to the concept of Mobile Driving License, or if that's just one approach to
data integrity etc. And whether any other equivalent proof mechanism is
acceptable for conformity to 18013-5 (which is what Issuers are likely to
demand of any vendor/app)


*Andrew Hughes *CISM CISSP
m +1 250.888.9474

Received on Tuesday, 7 December 2021 18:09:14 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:25 UTC