W3C home > Mailing lists > Public > public-credentials@w3.org > December 2021

Re: Verifiable Driver's Licenses and ISO-18013-5 (mDL)

From: Andrew Hughes <andrewhughes3000@gmail.com>
Date: Thu, 9 Dec 2021 10:08:03 -0800
Message-ID: <CAGJp9UaX1FxSnqdp1HtvZpNX4gKeXo32MDKt7q3w7N4f2s6rVQ@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Thanks Manu

The proposals made a couple years ago regarding VCs etc were too early for
the ISO WG to absorb. Also, the ISO WG was at the time by necessity
inwards-focused.
Now that 18013-5 is published, it's actually a better time to talk about
data structures and proof mechanisms - because we have one approach that is
proven to work. Now we can make moves towards efficiency, newer approaches,
technologies that have different properties/capabilities, and so on.
————————
*Andrew Hughes *CISM CISSP
m +1 250.888.9474
AndrewHughes3000@gmail.com



On Thu, Dec 9, 2021 at 9:38 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 12/7/21 1:07 PM, Andrew Hughes wrote:
> > The part that appears to be not covered here is the protocol-related
> > clauses and the data integrity and "mdoc authentication" using the
> Mobile
> > Security Object (MSO).
>
> Yes, at least one large W3C Member insisted (and continues to insist) that
> protocol be placed out of scope in the VCWG. They are, interestingly
> enough,
> also involved in the ISO 18013-5 work, but I'm sure there is no connection
> between those two data points and it's just a coincidence. :P
>
> You are right to note that there is a problem there that needs a
> standardized
> solution.
>
> > While the MSO is technically not inside the data model in 18013-5 it is
> > required in order for the verifier to confirm data integrity
> > per-data-element... I realize that the VC approach in this work is not
> the
> > same - but how should we accommodate issuers who want or need to use the
> > 18013-5 MSO security approach?
>
> Yes, and ONE solution to this could be embedding the MSO as a "proof" in
> the
> Verifiable Credential and passing that on verbatim. The downside, here,
> however is that it's yet another Verifiable Credential data integrity
> algorithm that we'd need to spec -- though, the spec could largely point to
> the ISO-18013-5 specification.
>
> It's not elegant, but I see no reason why it wouldn't work (yet).
>
> > Verifiers following the 18013-5 verification approach will be expecting
> to
> > get an MSO for processing. This is the biggest item that I continue to
> > struggle to conceptualize (even before this work was circulated) -
> whether
> > the MSO approach is fundamental to the concept of Mobile Driving
> License,
> > or if that's just one approach to data integrity etc. And whether any
> other
> > equivalent proof mechanism is acceptable for conformity to 18013-5 (which
> > is what Issuers are likely to demand of any vendor/app)
>
> Here's what it could look like for a selectively disclosed driver's license
> (sharing only document number, birth date, and expiration date):
>
> https://gist.github.com/msporny/6292b3b6f77e2040fbc0e534d0a30ff2
>
> IIRC, this was already proposed to the ISO-18013-5 group several years ago.
> I'll note that BBS+ is probably a far better, more generalized, solution to
> the problem the MSO is attempting to solve. The problem w/ BBS+, of
> course, is
> the lack of finalized standards that could be leveraged today.
>
> Hope that helps, happy to answer further questions.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>
Received on Thursday, 9 December 2021 18:08:28 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:25 UTC