Introduction to

ISO/IEC 18013-5
5 October 2021 | W3C Credential Community Group

Arjan Geluk

UL and the UL logo are trademarks of UL LLC © 2021.

Presenter

Arjan Geluk, CISA

Lead Principal Advisor, Identity Management & Security, UL

Leiden, The Netherlands
ISO Mobile Driving License Task Force leader
Special technical advisor to AAMVA’s Joint mDL WG
arjan.geluk@ul.com

2
ISO/IEC 18013-5

Scope and purpose

Communication protocols

Security mechanisms

Privacy enhancing features

Building an ecosystem

ISO/IEC 18013-5 & Verifiable Credentials

4
Scope and purpose

Mobile
Mobile
driving Interfaces
credentials
license

Data exchange architecture Data authenticity

Interoper-
Transmission technologies Security Data-device binding
ability
Message formats Data security during
mDL data model transport

Privacy &
Avoid tracking control Data minimization
User consent Selective release 5
Architecture and transmission technologies

issuing authority
infrastructure

1 3

mobile device
device engagement
mdoc reader
mdoc 2
data retrieval – device retrieval mdoc verifier
mdoc holder

6
Requests and responses

• Request and response messages are fully specified.

• CBOR encoded for device engagement and device retrieval.
• Request and response formats are independent of whether BLE,
NFC or Wi-Fi Aware is used.
• Reader must request each data element individually.
• Holder can deny release of each data element individually.
• Data from multiple documents/namespaces can be retrieved
with a single request + response.

7
Document type and namespace

ISO/IEC 18013-5
• Facilitates international interoperability by fully defining the mDL
doctype and namespace.
• Supports domestic needs by allowing domestic namespaces.
• Supports other document types by allowing different doctypes.

Transmission technologies, request/response messages and security

mechanisms can be used with any document type or namespace.

8
Security mechanisms
issuer data authentication
- electronic signing issuing authority
- signature verification infrastructure

TLS / JWS
(for optional server retrieval)
1 3

IACA
Root
Cert
mobile device session encryption
mdoc reader
mdoc 2
mdoc verifier
mdoc holder
mdoc authentication
(dynamic authentication) mdoc reader authentication (optional)
9
Privacy enabling features

issuing authority Data accuracy

infrastructure Integrity and confidentiality
Unlinkability of transactions

1 3

Data minimization
mobile device Selective release
mdoc reader
mdoc 2
mdoc verifier
mdoc holder
Transparency of intent Purpose limitation
to retain for collection & processing
Informed user consent 10
ISO/IEC JTC1 – Information Technology

ISO is an independent, non-governmental

international organization with a
membership of 165 national standards
bodies

12
Development of ISO/IEC 18013-5

Test events

2021: 29 September
Inventory of 2020: Draft FDIS 2021:
needs & International publication
2018, 2019: Standard
requirements Committee
drafts
2017: New
Work Item

2014:
Taskforce
established Ballots; over 2,000
comments processed
13
Ongoing standardization efforts 1

ISO/IEC
mDL test methods
18013-6

mDL add-on functions

ISO/IEC
• Unattended use cases
18013-7
• Issuer-verified mDLs

14
Building an ecosystem
Parts of the puzzle

Support by
mobile OSs
mVR

Other Certified
document mdocs and
micov types mdoc readers
ISO/IEC
18013-5
ecosystem

Launching Root
issuing certificate
authorities distribution

17
ISO/IEC 18013-5 &
Verifiable Credentials
A standards-based implementation of Verifiable Credentials?
I think that ISO 18013-5 and VCs
should not be seen as competitors,
but as complements. That’s nice. But what do you
mean, complements?
Well. My impression is that without
further specification, different
implementations of the VC Data You mean because we have no
Model may not be interoperable… common communication
protocols, requests/responses
and security mechanisms?
Exactly. But perhaps we can combine
VCs with ISO 18013-5 to solve that.
OK, how?
I can think of four ways, actually.
Let’s check them out, then!
19
Model 1: New implementation based on both specs

VC
ISO/IEC
Data
18013-5
Model

New implementation
20
Model 1 considerations
Full ISO
18013-5
functionality
Attributes
New
according to
docType +
VC Data
namespace
Model

Model 1

VC is
Use MSO as
located in
external
mobile
proof
device
VDR
=
VICAL

21
Model 2: ISO-compliant app as the repository for existing VC

ISO/IEC
18013-5

mDL

VC

22
Model 2 considerations
Share QR
and/or NFC
functions

Share user
May need to
interface,
re-certify
secure data
application
storage
Model 2

VC proof
Still need to
mechanism;
specify
no use of
interfaces
MSO

23
Model 3: Store existing VC as data element in an ISO mdoc

ISO/IEC
18013-5

mdoc
VC

24
Model 3 considerations
ISO 18013-5
functionality

No selective No need to
release of change VC
VC attributes definition

Model 3

Use of VC
Store in
proof plus
CBOR bstr
MSO

New
namespace
(+docType)

25
Model 4: Store existing VC as ISO-compliant document

ISO/IEC
18013-5
VC claims
VC

26
Model 4 considerations
Full ISO
18013-5
functionality

VC is
New
located in
docTyoe +
mobile
namespace
device
Model 4

VDR Use MSO as

external
=
proof (+ VC
VICAL proof)

27
 Questions?
Comments?

Let’s discuss!

Arjan Geluk
identity management and security | UL
arjan.geluk@ul.com