W3C home > Mailing lists > Public > public-credentials@w3.org > December 2021

Re: Verifiable Driver's Licenses and ISO-18013-5 (mDL)

From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Date: Fri, 10 Dec 2021 18:24:51 +0000
To: Adrian Gropper <agropper@healthurl.com>, Andrew Hughes <andrewhughes3000@gmail.com>
CC: Manu Sporny <msporny@digitalbazaar.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <MWHPR1301MB2094C3BDF93A386B5CD18E99C3719@MWHPR1301MB2094.namprd13.prod.outlook.com>
...and how do these link to CCG's higher level goals, principles, and metrics?

What do we collectively stand for?

Michael Herman
Trusted Digital Web

Get Outlook for Android<https://aka.ms/AAb9ysg>
From: Adrian Gropper <agropper@healthurl.com>
Sent: Thursday, December 9, 2021 12:44:40 PM
To: Andrew Hughes <andrewhughes3000@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>; W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: Re: Verifiable Driver's Licenses and ISO-18013-5 (mDL)

What is to be our measure of success?

A (digital) driver's license is government issued, biometrically bound, deduplicated and non-repudiable by design, and very long-lasting. It is then linked without obvious regulations to an immense range of applications that includes notarized civil contracts, travel, banking, proof-of-age, and presentation along with a vaccination card.

Broadly speaking, the W3C VC and DID data models do not constrain or introduce regulatory concerns into any of the aforementioned aspects but any protocol and advocacy work we choose to do will be prime real estate for platform economics, regulatory capture, and social engineering.

Kranzberg’s First Law of Technology is "Technology is neither good nor bad; nor is it neutral." A government-dominated closed process, ISO can pretend to serve the narrow intent of a mDL. What is our intent and measure of success?

- Adrian

On Thu, Dec 9, 2021 at 12:10 PM Andrew Hughes <andrewhughes3000@gmail.com<mailto:andrewhughes3000@gmail.com>> wrote:
Thanks Manu

The proposals made a couple years ago regarding VCs etc were too early for the ISO WG to absorb. Also, the ISO WG was at the time by necessity inwards-focused.
Now that 18013-5 is published, it's actually a better time to talk about data structures and proof mechanisms - because we have one approach that is proven to work. Now we can make moves towards efficiency, newer approaches, technologies that have different properties/capabilities, and so on.
Andrew Hughes CISM CISSP
m +1 250.888.9474

On Thu, Dec 9, 2021 at 9:38 AM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
On 12/7/21 1:07 PM, Andrew Hughes wrote:
> The part that appears to be not covered here is the protocol-related
> clauses and the data integrity and "mdoc authentication" using the Mobile
> Security Object (MSO).

Yes, at least one large W3C Member insisted (and continues to insist) that
protocol be placed out of scope in the VCWG. They are, interestingly enough,
also involved in the ISO 18013-5 work, but I'm sure there is no connection
between those two data points and it's just a coincidence. :P

You are right to note that there is a problem there that needs a standardized

> While the MSO is technically not inside the data model in 18013-5 it is
> required in order for the verifier to confirm data integrity
> per-data-element... I realize that the VC approach in this work is not the
> same - but how should we accommodate issuers who want or need to use the
> 18013-5 MSO security approach?

Yes, and ONE solution to this could be embedding the MSO as a "proof" in the
Verifiable Credential and passing that on verbatim. The downside, here,
however is that it's yet another Verifiable Credential data integrity
algorithm that we'd need to spec -- though, the spec could largely point to
the ISO-18013-5 specification.

It's not elegant, but I see no reason why it wouldn't work (yet).

> Verifiers following the 18013-5 verification approach will be expecting to
> get an MSO for processing. This is the biggest item that I continue to
> struggle to conceptualize (even before this work was circulated) - whether
> the MSO approach is fundamental to the concept of Mobile Driving License,
> or if that's just one approach to data integrity etc. And whether any other
> equivalent proof mechanism is acceptable for conformity to 18013-5 (which
> is what Issuers are likely to demand of any vendor/app)

Here's what it could look like for a selectively disclosed driver's license
(sharing only document number, birth date, and expiration date):


IIRC, this was already proposed to the ISO-18013-5 group several years ago.
I'll note that BBS+ is probably a far better, more generalized, solution to
the problem the MSO is attempting to solve. The problem w/ BBS+, of course, is
the lack of finalized standards that could be leveraged today.

Hope that helps, happy to answer further questions.

-- manu

Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
Received on Friday, 10 December 2021 18:25:07 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:25 UTC