- From: Kaliya IDwoman <kaliya-id@identitywoman.net>
- Date: Mon, 12 Jul 2021 21:19:06 -0700
- To: Credentials CG <public-credentials@w3.org>
- Message-ID: <CA+z9oKApCrHTZbs71xQJtPNi3wNoMii1O3d6YYi6qwyqeLWY0w@mail.gmail.com>
I'm writing to share this Request for Information put out by the US Government regarding rule making related to the RealID act and Mobile Drivers LIcences. The Deadline for response is July 30th so there is plenty of time. This is the extension notice. https://www.federalregister.gov/documents/2021/06/16/2021-12616/public-meeting-and-extension-of-comment-period-on-request-for-information-minimum-standards-for This is the regular RFI https://www.federalregister.gov/documents/2021/04/19/2021-07957/minimum-standards-for-drivers-licenses-and-identification-cards-acceptable-by-federal-agencies-for Here are the questions they are asking for information about: IV. Questions for Commenters DHS requests comments in response to the following questions. We do not intend these questions to restrict the issues that commenters may address. Commenters are encouraged to address issues that may not be discussed below based upon their knowledge of the issues and implications. In providing your comments, please follow the instructions in the Commenter Instructions section above. 1. *Security Generally.* Provide comments on what security risks, including data interception, alteration, and reproduction, may arise from the use of mDLs by Federal agencies for official purposes, which includes accessing Federal facilities, boarding federally-regulated commercial aircraft, and entering nuclear power plants. a. Explain what digital security functions or features are available to detect, deter, and mitigate the security risks from mDL transactions, including the advantages and disadvantages of each security feature. b. Provide comments on how mDL transactions could introduce new cybersecurity threat vectors into the IT systems of Federal agencies by, for example, transmitting malicious code along with the mDL Data. c. Sections 37.15 and 37.17 of 6 CFR part 37 <https://www.federalregister.gov/select-citation/2021/04/19/6-CFR-37> set forth specific requirements for physical security features for DL/ID and other requirements for the surface of DL/ID. Provide comments on what requirements are necessary to provide comparable security assurances for mDLs. 2. *Privacy Generally.* Provide comments on what privacy concerns or benefits may arise from mDL transactions, and how DHS should or should not address those concerns and benefits in the REAL ID context. Explain what digital security functions or features are available to protect the privacy of any personally identifiable information submitted in mDL transactions, including the advantages and disadvantages of each security feature. 3. *Industry Standards.* Executive Order 12866 directs Federal agencies to use performance-based standards whenever feasible. DHS is considering including technical standards for mDL transactions in its proposed rule, drawing heavily on standards under development by the industry, to support compatibility and technical interoperability across all interested Federal agencies nationwide. If commenters believe an industry standard should be chosen, provide comments on how DHS should choose the correct standard(s) for mDLs, and on the appropriate baseline standard(s) that DHS should impose. 4. *Industry Standard ISO/IEC 18013-5: Communication Interfaces Between mDL Device and Federal Agency, and Federal Agency and DMV.* DHS may adopt certain requirements that may be established in forthcoming international industry standards that specify digital security mechanisms and protocols with respect to the communication interface between a mobile device and a Federal agency, and the communication interface between a Federal agency and a DMV. a. Provide comments on what concerns commenters have regarding such standards and DHS's adoption of their requirements. In particular, explain whether commenters believe the current drafts of industry standard ISO/IEC 18013-5 are mature enough to support secure and widespread deployment of mDLs. b. Explain the impact on stakeholders and mDL issuance if such standards are not approved in a timely manner. c. Quantify the initial and ongoing costs to a stakeholder to implement these standards. d. Provide comments on what, if any, key areas related to mDLs are not covered in these standards that DHS should consider addressing by regulation.Start Printed Page 20326 e. Identity what, if any, alternative standards or requirements DHS should consider. 5. *Industry Standard ISO/IEC 23220-3: Communication Interface Between DMV and mDL Device.* DHS understands that forthcoming international industry standard ISO/IEC 23220-3 may specify digital security mechanisms and protocols with respect to the communication interface between a DMV and a mobile device, specifically concerning provisioning methods, data storage, and related actions. Although DHS may seek to adopt certain requirements anticipated to appear in this standard, the Department understands that this standard may not be finalized for several years. a. Explain whether commenters believe the current drafts of standard ISO/IEC 23220-3 are mature enough to support secure and widespread deployment of mDLs. b. With the ongoing development of ISO/IEC 23220-3, provide comments on what, if any, alternative standards or requirements DHS should consider before the standard is finalized. 6. *Provisioning.* DHS understands that provisioning may be conducted in-person, remotely, or via other methods. a. Explain the security and privacy risks, from the perspective of any stakeholder, presented by in-person, remote, or other provisioning methods. b. Provide comments on the security protocols that would be required for DMVs to mitigate security and privacy risks presented by in-person, remote, or other provisioning methods, and to ensure at a high level of certainty that a REAL ID compliant mDL is securely provisioned to the rightful owner of the identity and the target mDL device, for in-person or remote applications. c. Provide comments on whether mDL Data should include data fields populated with information concerning the method of provisioning used. d. Provide estimated costs for a DMV to implement in-person or remote provisioning. Costs may include IT contracts, hiring full or part-time IT staff, as well as software and hardware. 7. *Storage.* DHS understands that mobile device hardware- and software-based security architectures can be used to secure mDL Data on a mobile device. a. Provide comments on the advantages and disadvantages, with respect to security, functionality, and interoperability, of the different mobile security architectures for protecting, storing and assuring integrity of mDL Data. b. Explain whether a hardware- or software-based solution, or both, would provide the requisite security in a competitively-neutral manner. 8. *Data Freshness.* Provide comments regarding whether and to what extent security risks concerning data validity and freshness can be mitigated by defining the frequency by which mDL Data should synchronize with its DMV database. a. Provide comments regarding what data synchronization periods commenters believe are appropriate for mDL transactions. Explain the advantages and disadvantages of a longer or shorter periods. b. Provide estimated costs to a stakeholder to implement the data synchronization periods stated above. 9. *IT Security Infrastructure.* Provide comments on whether IT security infrastructure, such as Public Key Infrastructure, would provide the level of privacy and security sufficient to implement a secure and trusted operating environment, for both offline and online use cases, and if not, explain what alternative approaches would be better. a. Identify any what additional or alternative IT security infrastructure ( *e.g.,* a public key distributor or aggregator such as a trusted public certificate list, Federal PKI) that would be required to facilitate trusted mDL transactions between mDL holders, verifying entities, and issuing authorities. b. Provide estimated costs for a DMV or Federal agency to implement necessary IT security infrastructure. Costs may include IT contracts, hiring full or part-time IT staff, as well as software and hardware. 10. *Alternative IT Security Solutions.* Provide comments on whether DHS should consider privacy or security solutions adopted in other industries, such as finance (*e.g.,* mobile payments), automotive/telecommunications ( *e.g.,* vehicle-to-vehicle or “V2V”/“V2X” communications), or medical ( *e.g.,* electronic prescriptions for controlled substances), that rely on digital identity and/or secure device-to-device transactions. Explain what those solutions are and how they could be adapted or implemented for Federal mDL use cases. 11. *Offline and Online Data Transfer Modes.* DHS understands that mDL Data may be transferred to a Federal agency via offline and online modes. a. Explain the security and privacy risks, from the perspective of any stakeholder, presented by both offline and online data transfer modes. b. Provide comments on the security protocols that would be required to mitigate security and privacy risks presented by both offline and online data transfer modes. 12. *Unattended Online mDL Verification.* Provide comments on what capabilities or technologies are available to enable unattended online mDL verification by Federal agencies. Explain the possible advantages and disadvantages of each approach. a. Explain the security and privacy risks, from the perspective of any stakeholder, presented by unattended online mDL verification. b. Provide comments on the security protocols that would be required for DMVs to mitigate security and privacy risks presented by unattended online mDL verification. 13. *Costs to Individuals.* Provide comments on the estimated costs, including savings, to an individual to obtain an mDL, including: a. Time and effort required to obtain the mDL. b. Fees charged by DMVs. c. Any charges for inclusion of additional information on an mDL, such as HAZMAT endorsements, hunting, fishing, or boating licenses. 14. *Considerations for mDL Devices Other than Smartphones.* Provide comments on whether provisioning an mDL on, or accessing an mDL from, a device other than a smartphone (*e.g.,* a smartwatch accessing mDL Data from a smartphone paired to it, or a mobile device authorized to access mDL Data stored remotely), poses security or privacy considerations different than provisioning an mDL on, or accessing an mDL from, a smartphone. Explain such security or privacy considerations and how they can be mitigated. 15. *Obstacles to mDL Acceptance.* Describe any obstacles to public or industry acceptance of mDLs that DHS should consider in developing its regulatory requirements. Provide comments on recommendations DHS should consider addressing such obstacles, including how to educate the public about security and privacy aspects of digital identity and mDLs. The Department issues this RFI solely for information and program planning purposes, and to inform a future rulemaking. Responses to this RFI do not bind DHS to any further actions related to the response.
Received on Tuesday, 13 July 2021 04:19:32 UTC