Re: Binding an iso mDL to VC ecosystem for online verification

As a member and long-term contributor to SC17/JTC1 ISO/IEC WG10, which
defined the ISO 18013-5 standard for close-proximity presentation of mDLs
in the mdoc format, and the ISO 18013-7 specification for online
presentation of mDLs, I wanted to provide some clarifications regarding ISO
mdocs. Additionally, I contribute to WG4, which focuses on building blocks
for the presentation and issuance of credentials in the mdoc format (ISO
23220 series).

I want to clarify two things:

1. ISO mdocs can be used with protocols beyond ISO 18013-5. While ISO
18013-5 defines ISO mdoc data structures and additional retrieval
mechanisms for verifiers and holders, ISO mdocs are not restricted to
protocols defined in ISO 18013-5. For example: W3C WICG browser API,
OID4VP, OID4VCI, ISO 18013-7 (RestAPI and OID4VP), ISO 23220-4 and ISO
23220-3. These protocols define different ways for the issuance and
presentation of ISO mdoc data structures between verifier, holder, and
issuer, demonstrating that ISO mdocs can be used outside of ISO 18013-5.
Technically, one could send ISO mdoc data structures via DIDComm by
creating a protocol-specific "Handover" structure for this purpose.

2. ISO mdocs can use different credential types and data models: ISO mdocs
have been tested at several interoperability events for different
credential types (referred to as document types), such as: mDL, Mobile
vehicle registration, PIDs, COVID passes. Interoperability was demonstrated
for close-proximity presentation, online presentation, and issuance (e.g.,
a potential interop event using OID4VCI). You can think of ISO 18013-5 as
the specification defining the mDL data model for mDLs. All you need to do
is to define your doctype, e.g., com.something.foo, a namespace, and data
element identifiers for that namespace. One can also reuse existing
namespaces and data element identifiers.

To demystify the ISO specifications on mdocs, the OIDF DCP WG added the
following to OID4VP to explain the relationship between all the different
ISO specs:

> ISO/IEC 18013-5:2021 defines a mobile driving license (mDL) credential in
the mobile document (mdoc) format. Although ISO/IEC 18013-5:2021 is
specific to mobile driving licenses (mDLs), the credential format can be
utilized with any type of credential (or mdoc document type). The ISO/IEC
23220 series has extracted components from ISO/IEC 18013-5:2021 and ISO/IEC
TS 18013-7 that are common across document types to facilitate the
profiling of the specification for other document types. The core data
structures are shared between ISO/IEC 18013-5:2021, ISO/IEC 23220-2, and
ISO/IEC 23220-4, which are encoded in CBOR and secured using COSE_Sign1.

For historical reasons, ISO 18013-5 mDL close-proximity presentation was
the first standard on ISO mdocs, but it always allowed for other retrieval
protocols and credential types. The ISO 23220 series was started after ISO
18013-5.

Furthermore, I checked the California DMV website to see what credential
format they use for their online use case. It appears they are still using
W3C JWT-VCs for login and not ISO mdocs, although this would be possible
now since ISO 18013-7 is about to be published. You can verify this
yourself by following these steps:

- Go to the California DMV website: https://www.dmv.ca.gov/portal/mydmv
- Click "Login with CA DMV mDL," which will show a QR code.
- The decoded QR code contains an OID4VP request requesting a credential in
the "*jwt_vc_json*" format.

NIST NCCoE is going to run pilots using ISO 18013-7/W3C WICG browser API
for several online use cases, which shows that ISO mDL can be used for
purposes beyond close-proximity verification.

I hope those clarifications helped. If you have any questions on ISO mdocs,
feel free to reach out.

Thanks,
Oliver

On Fri, 21 Jun 2024 at 08:37, John, Anil <anil.john@hq.dhs.gov> wrote:

> > So from a TSA perspective they are currently only accepting the ISO mDL,
> not the VC based documents …
>
>
>
> This is correct.
>
>
>
> TSA is currently accepting only ISO 18013-5 (mDL) conformant driver’s
> licenses as part of an in-person presentation at some of its domestic U.S.
> airport checkpoints in conformance with the implementation of the REAL ID
> Act.
>
>
>
> AFAIK:
>
>    - REAL ID Act only applies to State-issued driver’s licenses and
>    State-issued identification cards. It defines a “driver’s license” to
>    include “driver’s licenses stored or accessed via electronic means, such as
>    mobile or digital driver’s licenses, which have been issued in accordance
>    with regulations prescribed by the Secretary.”
>    - The REAL ID Act and associated rule making is limited to in-person
>    Federal acceptance of mDLs for official purposes.
>       - The REAL ID Act defines official purposes as including but not
>       limited to accessing Federal facilities, boarding federally regulated
>       commercial aircraft, entering nuclear power plants, and any other purposes
>       that the Secretary shall determine.
>       - Notably, because the Secretary has not determined any other
>       official purposes, the REAL ID Act and regulations do not apply to Federal
>       acceptance of driver’s licenses and identification cards for other
>       purposes, such as applying for Federal benefits programs, submitting
>       immigration documents, or other Federal programs.
>
>
>
> <break>
>
>
>
> Don’t conflate an mDL, i.e., an ISO 18013-5 conformant credential (A
> tightly coupled driver’s license attribute bundle + mdoc data model +
> in-person presentation interface) with a credential that is utilizing the
> mdoc data model.
>
>
>
> Best Regards,
>
>
>
> Anil
>
>
>
> Anil John
>
> Technical Director, Silicon Valley Innovation Program
>
> Science and Technology Directorate
>
> US Department of Homeland Security
>
> Washington, DC, USA
>
>
>
> Schedule a meeting with me (30 minutes; non-DHS people only)
> <https://outlook.office.com/bookwithme/user/6250c4b6cae94d549b6db87b72b0b6d5@hq.dhs.gov?anonymous&ep=plink>
>
> Time Zone: UTC-05:00 (US Eastern Time)
>
>
>
> Email Response Time – 24 Hours or more; I sometimes send emails outside of
> business days/times because it works for me; please do not feel any
> obligation to reply to them outside of your normal working patterns.
>
>
>
> [image: A picture containing graphical user interface Description
> automatically generated] <https://www.dhs.gov/science-and-technology>[image:
> /Users/holly.johnson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1972159395]
>
>
>
> This document contains pre-decisional and/or deliberative process
> information exempt from mandatory disclosure under the Freedom of
> Information Act, 5 U.S.C. 552(b)(5). Do not release without prior approval
> of the Department of Homeland Security.
>