Professional Documents
Culture Documents
ISO/IEC 18013-5
5 October 2021 | W3C Credential Community Group
Arjan Geluk
2
ISO/IEC 18013-5
Communication protocols
Security mechanisms
Building an ecosystem
4
Scope and purpose
Mobile
Mobile
driving Interfaces
credentials
license
Privacy &
Avoid tracking control Data minimization
User consent Selective release 5
Architecture and transmission technologies
issuing authority
infrastructure
1 3
mobile device
device engagement
mdoc reader
mdoc 2
data retrieval – device retrieval mdoc verifier
mdoc holder
6
Requests and responses
7
Document type and namespace
ISO/IEC 18013-5
• Facilitates international interoperability by fully defining the mDL
doctype and namespace.
• Supports domestic needs by allowing domestic namespaces.
• Supports other document types by allowing different doctypes.
8
Security mechanisms
issuer data authentication
- electronic signing issuing authority
- signature verification infrastructure
TLS / JWS
(for optional server retrieval)
1 3
IACA
Root
Cert
mobile device session encryption
mdoc reader
mdoc 2
mdoc verifier
mdoc holder
mdoc authentication
(dynamic authentication) mdoc reader authentication (optional)
9
Privacy enabling features
1 3
Data minimization
mobile device Selective release
mdoc reader
mdoc 2
mdoc verifier
mdoc holder
Transparency of intent Purpose limitation
to retain for collection & processing
Informed user consent 10
ISO/IEC JTC1 – Information Technology
12
Development of ISO/IEC 18013-5
Test events
2021: 29 September
Inventory of 2020: Draft FDIS 2021:
needs & International publication
2018, 2019: Standard
requirements Committee
drafts
2017: New
Work Item
2014:
Taskforce
established Ballots; over 2,000
comments processed
13
Ongoing standardization efforts 1
ISO/IEC
mDL test methods
18013-6
14
Building an ecosystem
Parts of the puzzle
Support by
mobile OSs
mVR
Other Certified
document mdocs and
micov types mdoc readers
ISO/IEC
18013-5
ecosystem
Launching Root
issuing certificate
authorities distribution
17
ISO/IEC 18013-5 &
Verifiable Credentials
A standards-based implementation of Verifiable Credentials?
I think that ISO 18013-5 and VCs
should not be seen as competitors,
but as complements. That’s nice. But what do you
mean, complements?
Well. My impression is that without
further specification, different
implementations of the VC Data You mean because we have no
Model may not be interoperable… common communication
protocols, requests/responses
and security mechanisms?
Exactly. But perhaps we can combine
VCs with ISO 18013-5 to solve that.
OK, how?
I can think of four ways, actually.
Let’s check them out, then!
19
Model 1: New implementation based on both specs
VC
ISO/IEC
Data
18013-5
Model
New implementation
20
Model 1 considerations
Full ISO
18013-5
functionality
Attributes
New
according to
docType +
VC Data
namespace
Model
Model 1
VC is
Use MSO as
located in
external
mobile
proof
device
VDR
=
VICAL
21
Model 2: ISO-compliant app as the repository for existing VC
ISO/IEC
18013-5
mDL
VC
22
Model 2 considerations
Share QR
and/or NFC
functions
Share user
May need to
interface,
re-certify
secure data
application
storage
Model 2
VC proof
Still need to
mechanism;
specify
no use of
interfaces
MSO
23
Model 3: Store existing VC as data element in an ISO mdoc
ISO/IEC
18013-5
mdoc
VC
24
Model 3 considerations
ISO 18013-5
functionality
No selective No need to
release of change VC
VC attributes definition
Model 3
Use of VC
Store in
proof plus
CBOR bstr
MSO
New
namespace
(+docType)
25
Model 4: Store existing VC as ISO-compliant document
ISO/IEC
18013-5
VC claims
VC
26
Model 4 considerations
Full ISO
18013-5
functionality
VC is
New
located in
docTyoe +
mobile
namespace
device
Model 4
27
Questions?
Comments?
Let’s discuss!
Arjan Geluk
identity management and security | UL
arjan.geluk@ul.com