W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

RFI - RealID DHS mDL Rule Making

From: Kaliya IDwoman <kaliya-id@identitywoman.net>
Date: Mon, 12 Jul 2021 21:19:06 -0700
Message-ID: <CA+z9oKApCrHTZbs71xQJtPNi3wNoMii1O3d6YYi6qwyqeLWY0w@mail.gmail.com>
To: Credentials CG <public-credentials@w3.org>
 I'm writing to share this Request for Information put out by the US
Government regarding rule making related to the RealID act and Mobile
Drivers LIcences.  The Deadline for response is July 30th so there is
plenty of time.

This is the extension notice.

https://www.federalregister.gov/documents/2021/06/16/2021-12616/public-meeting-and-extension-of-comment-period-on-request-for-information-minimum-standards-for

This is the regular RFI
https://www.federalregister.gov/documents/2021/04/19/2021-07957/minimum-standards-for-drivers-licenses-and-identification-cards-acceptable-by-federal-agencies-for


Here are the questions they are asking for information about:

IV. Questions for Commenters

DHS requests comments in response to the following questions. We do not
intend these questions to restrict the issues that commenters may address.
Commenters are encouraged to address issues that may not be discussed below
based upon their knowledge of the issues and implications. In providing
your comments, please follow the instructions in the Commenter Instructions
section above.

1. *Security Generally.* Provide comments on what security risks, including
data interception, alteration, and reproduction, may arise from the use of
mDLs by Federal agencies for official purposes, which includes accessing
Federal facilities, boarding federally-regulated commercial aircraft, and
entering nuclear power plants.

a. Explain what digital security functions or features are available to
detect, deter, and mitigate the security risks from mDL transactions,
including the advantages and disadvantages of each security feature.

b. Provide comments on how mDL transactions could introduce new
cybersecurity threat vectors into the IT systems of Federal agencies by,
for example, transmitting malicious code along with the mDL Data.

c. Sections 37.15 and 37.17 of 6 CFR part 37
<https://www.federalregister.gov/select-citation/2021/04/19/6-CFR-37> set
forth specific requirements for physical security features for DL/ID and
other requirements for the surface of DL/ID. Provide comments on what
requirements are necessary to provide comparable security assurances for
mDLs.

2. *Privacy Generally.* Provide comments on what privacy concerns or
benefits may arise from mDL transactions, and how DHS should or should not
address those concerns and benefits in the REAL ID context. Explain what
digital security functions or features are available to protect the privacy
of any personally identifiable information submitted in mDL transactions,
including the advantages and disadvantages of each security feature.

3. *Industry Standards.* Executive Order 12866 directs Federal agencies to
use performance-based standards whenever feasible. DHS is considering
including technical standards for mDL transactions in its proposed rule,
drawing heavily on standards under development by the industry, to support
compatibility and technical interoperability across all interested Federal
agencies nationwide. If commenters believe an industry standard should be
chosen, provide comments on how DHS should choose the correct standard(s)
for mDLs, and on the appropriate baseline standard(s) that DHS should
impose.

4. *Industry Standard ISO/IEC 18013-5: Communication Interfaces
Between mDL Device and Federal Agency, and Federal Agency and DMV.* DHS may
adopt certain requirements that may be established in forthcoming
international industry standards that specify digital security mechanisms
and protocols with respect to the communication interface between a mobile
device and a Federal agency, and the communication interface between a
Federal agency and a DMV.

a. Provide comments on what concerns commenters have regarding such
standards and DHS's adoption of their requirements. In particular, explain
whether commenters believe the current drafts of industry standard ISO/IEC
18013-5 are mature enough to support secure and widespread deployment of
mDLs.

b. Explain the impact on stakeholders and mDL issuance if such standards
are not approved in a timely manner.

c. Quantify the initial and ongoing costs to a stakeholder to implement
these standards.

d. Provide comments on what, if any, key areas related to mDLs are not
covered in these standards that DHS should consider addressing by
regulation.Start Printed Page 20326

e. Identity what, if any, alternative standards or requirements DHS should
consider.

5. *Industry Standard ISO/IEC 23220-3: Communication Interface Between DMV
and mDL Device.* DHS understands that forthcoming international industry
standard ISO/IEC 23220-3 may specify digital security mechanisms and
protocols with respect to the communication interface between a DMV and a
mobile device, specifically concerning provisioning methods, data storage,
and related actions. Although DHS may seek to adopt certain requirements
anticipated to appear in this standard, the Department understands that
this standard may not be finalized for several years.

a. Explain whether commenters believe the current drafts of standard
ISO/IEC 23220-3 are mature enough to support secure and widespread
deployment of mDLs.

b. With the ongoing development of ISO/IEC 23220-3, provide comments on
what, if any, alternative standards or requirements DHS should consider
before the standard is finalized.

6. *Provisioning.* DHS understands that provisioning may be conducted
in-person, remotely, or via other methods.

a. Explain the security and privacy risks, from the perspective of any
stakeholder, presented by in-person, remote, or other provisioning methods.

b. Provide comments on the security protocols that would be required for
DMVs to mitigate security and privacy risks presented by in-person, remote,
or other provisioning methods, and to ensure at a high level of certainty
that a REAL ID compliant mDL is securely provisioned to the rightful owner
of the identity and the target mDL device, for in-person or remote
applications.

c. Provide comments on whether mDL Data should include data fields
populated with information concerning the method of provisioning used.

d. Provide estimated costs for a DMV to implement in-person or remote
provisioning. Costs may include IT contracts, hiring full or part-time IT
staff, as well as software and hardware.

7. *Storage.* DHS understands that mobile device hardware- and
software-based security architectures can be used to secure mDL Data on a
mobile device.

a. Provide comments on the advantages and disadvantages, with respect to
security, functionality, and interoperability, of the different mobile
security architectures for protecting, storing and assuring integrity of mDL
 Data.

b. Explain whether a hardware- or software-based solution, or both, would
provide the requisite security in a competitively-neutral manner.

8. *Data Freshness.* Provide comments regarding whether and to what extent
security risks concerning data validity and freshness can be mitigated by
defining the frequency by which mDL Data should synchronize with its DMV
database.

a. Provide comments regarding what data synchronization periods commenters
believe are appropriate for mDL transactions. Explain the advantages and
disadvantages of a longer or shorter periods.

b. Provide estimated costs to a stakeholder to implement the data
synchronization periods stated above.

9. *IT Security Infrastructure.* Provide comments on whether IT security
infrastructure, such as Public Key Infrastructure, would provide the level
of privacy and security sufficient to implement a secure and trusted
operating environment, for both offline and online use cases, and if not,
explain what alternative approaches would be better.

a. Identify any what additional or alternative IT security infrastructure (
*e.g.,* a public key distributor or aggregator such as a trusted public
certificate list, Federal PKI) that would be required to facilitate trusted
mDL transactions between mDL holders, verifying entities, and issuing
authorities.

b. Provide estimated costs for a DMV or Federal agency to implement
necessary IT security infrastructure. Costs may include IT contracts,
hiring full or part-time IT staff, as well as software and hardware.

10. *Alternative IT Security Solutions.* Provide comments on whether DHS
should consider privacy or security solutions adopted in other industries,
such as finance (*e.g.,* mobile payments), automotive/telecommunications (
*e.g.,* vehicle-to-vehicle or “V2V”/“V2X” communications), or medical (
*e.g.,* electronic prescriptions for controlled substances), that rely on
digital identity and/or secure device-to-device transactions. Explain what
those solutions are and how they could be adapted or implemented for
Federal mDL use cases.

11. *Offline and Online Data Transfer Modes.* DHS understands that mDL Data
may be transferred to a Federal agency via offline and online modes.

a. Explain the security and privacy risks, from the perspective of any
stakeholder, presented by both offline and online data transfer modes.

b. Provide comments on the security protocols that would be required to
mitigate security and privacy risks presented by both offline and online
data transfer modes.

12. *Unattended Online mDL Verification.* Provide comments on what
capabilities or technologies are available to enable unattended online
mDL verification
by Federal agencies. Explain the possible advantages and disadvantages of
each approach.

a. Explain the security and privacy risks, from the perspective of any
stakeholder, presented by unattended online mDL verification.

b. Provide comments on the security protocols that would be required for
DMVs to mitigate security and privacy risks presented by unattended online
mDL verification.

13. *Costs to Individuals.* Provide comments on the estimated costs,
including savings, to an individual to obtain an mDL, including:

a. Time and effort required to obtain the mDL.

b. Fees charged by DMVs.

c. Any charges for inclusion of additional information on an mDL, such as
HAZMAT endorsements, hunting, fishing, or boating licenses.

14. *Considerations for mDL Devices Other than Smartphones.* Provide
comments on whether provisioning an mDL on, or accessing an mDL from, a
device other than a smartphone (*e.g.,* a smartwatch accessing mDL Data
from a smartphone paired to it, or a mobile device authorized to
access mDL Data
stored remotely), poses security or privacy considerations different than
provisioning an mDL on, or accessing an mDL from, a smartphone. Explain
such security or privacy considerations and how they can be mitigated.

15. *Obstacles to mDL Acceptance.* Describe any obstacles to public or
industry acceptance of mDLs that DHS should consider in developing its
regulatory requirements. Provide comments on recommendations DHS should
consider addressing such obstacles, including how to educate the public
about security and privacy aspects of digital identity and mDLs.

The Department issues this RFI solely for information and program planning
purposes, and to inform a future rulemaking. Responses to this RFI do not
bind DHS to any further actions related to the response.
Received on Tuesday, 13 July 2021 04:19:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:18 UTC