Re: Verifiable Driver's Licenses and ISO-18013-5 (mDL) from Manu Sporny on 2021-12-09 (public-credentials@w3.org from December 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 9 Dec 2021 12:36:04 -0500
To: public-credentials@w3.org
Message-ID: <a66f665d-3227-2fa7-b94d-a0802d5e2f7c@digitalbazaar.com>

On 12/7/21 1:07 PM, Andrew Hughes wrote:
> The part that appears to be not covered here is the protocol-related 
> clauses and the data integrity and "mdoc authentication" using the Mobile 
> Security Object (MSO).

Yes, at least one large W3C Member insisted (and continues to insist) that
protocol be placed out of scope in the VCWG. They are, interestingly enough,
also involved in the ISO 18013-5 work, but I'm sure there is no connection
between those two data points and it's just a coincidence. :P

You are right to note that there is a problem there that needs a standardized
solution.

> While the MSO is technically not inside the data model in 18013-5 it is 
> required in order for the verifier to confirm data integrity 
> per-data-element... I realize that the VC approach in this work is not the 
> same - but how should we accommodate issuers who want or need to use the 
> 18013-5 MSO security approach?

Yes, and ONE solution to this could be embedding the MSO as a "proof" in the
Verifiable Credential and passing that on verbatim. The downside, here,
however is that it's yet another Verifiable Credential data integrity
algorithm that we'd need to spec -- though, the spec could largely point to
the ISO-18013-5 specification.

It's not elegant, but I see no reason why it wouldn't work (yet).

> Verifiers following the 18013-5 verification approach will be expecting to 
> get an MSO for processing. This is the biggest item that I continue to 
> struggle to conceptualize (even before this work was circulated) - whether 
> the MSO approach is fundamental to the concept of Mobile Driving License, 
> or if that's just one approach to data integrity etc. And whether any other
> equivalent proof mechanism is acceptable for conformity to 18013-5 (which
> is what Issuers are likely to demand of any vendor/app)

Here's what it could look like for a selectively disclosed driver's license
(sharing only document number, birth date, and expiration date):

https://gist.github.com/msporny/6292b3b6f77e2040fbc0e534d0a30ff2

IIRC, this was already proposed to the ISO-18013-5 group several years ago.
I'll note that BBS+ is probably a far better, more generalized, solution to
the problem the MSO is attempting to solve. The problem w/ BBS+, of course, is
the lack of finalized standards that could be leveraged today.

Hope that helps, happy to answer further questions.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Thursday, 9 December 2021 17:36:22 UTC