[Openid-specs-ab] Overview of ISO mDL/eID standards and OIDC standards

Tom Jones thomasclinganjones at gmail.com
Wed May 4 01:16:56 UTC 2022 

As I pointed out in my comments to the DHS, it is illegal to charge for
standards that are used in federal regulations. As a result this finding
was published which gives access to the document to residents of the US for
no charge.
https://www.federalregister.gov/documents/2021/09/16/2021-19812/notification-of-document-availability-and-reopening-of-comment-period-on-request-for-information

..tom


On Tue, May 3, 2022 at 3:24 PM Kristina Yasuda via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi,
>
>
>
> (because many have been asking and I think it will be useful) Sending out
> a summary of a relationship/status between ISO mDL/eID (mobile Driving
> Licence/electronic ID) standards and OpenID Connect Core and
> SIOPv2/OIDC4VP/OpenID4CI specifications family, which has been long overdue.
>
>
>
> First, to set the context:
>
>    - ISO/IEC 18013 series focus on mobile Driving Licence only. -5, -7
>    are numbers of separate specifications within the same series, not the
>    version numbers. 18013 series is what enabled international driving licence
>    ecosystem in the first place (if you ever had a paper international driving
>    licence, that’s 18013!).
>
> o   18013-5 focuses on “attended” mDL presentation, meaning the End-User
> presents mDL to the RP (mDL reader in ISO terms) in-person, but using a
> digital representation of a driving licence. It is a published
> international standard available for purchase here:
> https://www.iso.org/standard/69084.html
>
> o   18013-7 focuses on “unattended” mDL presentation, where the End-User
> can present mDL to the RP “over the Internet” aka HTTP/WebSocket, etc. It
> is WIP, not published yet, and not on international standard track, but a
> technical specification track, which allow the timeframe to be a little
> faster: https://www.iso.org/standard/82772.html. The first Working Draft
> is WIP.
>
> o   Issuance is out of scope for both
>
>    - ISO/IEC 23220 series focus on mobile eID Documents, which are more
>    general than just Driving Licences. The series is generally referred to as
>    “building blocks” that implementor can choose from, in comparison to
>    18013-5 that has mandatory to implement features that ensures that
>    compliant implementations are interoperable by default. 23220-1 is in
>    international standards track about to be published, while others in the
>    series are in technical standards track still in the Working Draft stage.
>
>
>
> Now to the relationship between ISO and OIDC specifications:
>
>    - ISO/IEC 18013-5 lists OpenID Connect Core as a normative reference.
>    End-User can present an mDL over BLE/NFC, directly to the RP, or it can
>    also give RP a token over BLE/NFC that RP can exchange with an
>    authorization code to obtain an mDL from the Issuing Authority using OpenID
>    Connect authorization code flow.
>       - Privacy groups have criticized the use of OpenID Connect Core in
>       18013-5 as being not privacy preserving because it is an “issuer call home”
>       compared to a direct interaction between an End-User and the RP without RP
>       talking directly to the Issuer
>    - Now to each specification in 23220 series
>       - 23220-1 defines generic system architectures of mobile
>       eID-Systems ie enumerating interfaces between various entities involved in
>       issuance/presentation. No reference to OIDC.
>       - 23220-2 defines a data model of mobile eID-Systems. It includes
>       CDDL data model using Mobile Security Object (MSO) from 18013-5, but also
>       includes JSON-encoding of MSO and examples of mapping MSO to W3C Verifiable
>       Credentials and Verifiable Presentations.
>       - 23220-3 defines an issuance/provisioning flow of mobile
>       eID-Systems. There are ongoing discussions of potentially including OpenID
>       for Credential Issuance specification here
>       - 23220-4 defines a presentation flow of mobile eID-Systems. It
>       includes device engagement (NFC/BLE) and server engagement (OIDC) from
>       18013-5 but also includes SIOP/OIDC4VP as a way to transport credentials
>       over the Internet (HTTP).
>    - ISO/IEC 18013-7 will largely rely on 23220-4. And the goal would be
>    to include SIOP/OIDC4VP as one of the options for mDL over the Internet,
>    but the conversations are just starting.
>
>
>
> Best,
>
> Kristina
>
> (There are more nuances, but hope this is a good start.)
>
>
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220503/b34ee83b/attachment.html>

More information about the Openid-specs-ab mailing list