<div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">As I pointed out in my comments to the DHS, it is illegal to charge for standards that are used in federal regulations. As a result this finding was published which gives access to the document to residents of the US for no charge.</span></div><div><a href="https://www.federalregister.gov/documents/2021/09/16/2021-19812/notification-of-document-availability-and-reopening-of-comment-period-on-request-for-information">https://www.federalregister.gov/documents/2021/09/16/2021-19812/notification-of-document-availability-and-reopening-of-comment-period-on-request-for-information</a></div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"><br></span></div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 3, 2022 at 3:24 PM Kristina Yasuda via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US" style="overflow-wrap: break-word;">
<div class="gmail-m_-7547610729559127106WordSection1">
<p class="MsoNormal">Hi, <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">(because many have been asking and I think it will be useful) Sending out a summary of a relationship/status between ISO mDL/eID (mobile Driving Licence/electronic ID) standards and OpenID Connect Core and SIOPv2/OIDC4VP/OpenID4CI specifications
family, which has been long overdue.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">First, to set the context:<u></u><u></u></p>
<ul style="margin-top:0in" type="disc">
<li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">ISO/IEC 18013 series focus on mobile Driving Licence only. -5, -7 are numbers of separate specifications within the same series, not the version numbers. 18013 series is what enabled
international driving licence ecosystem in the first place (if you ever had a paper international driving licence, that’s 18013!).<u></u><u></u></li></ul>
<p class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0.75in">
<u></u><span style="font-family:"Courier New""><span>o<span style="font:7pt "Times New Roman"">
</span></span></span><u></u>18013-5 focuses on “attended” mDL presentation, meaning the End-User presents mDL to the RP (mDL reader in ISO terms) in-person, but using a digital representation of a driving licence. It is a published international standard
available for purchase here: <a href="https://www.iso.org/standard/69084.html" target="_blank">https://www.iso.org/standard/69084.html</a><u></u><u></u></p>
<p class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0.75in">
<u></u><span style="font-family:"Courier New""><span>o<span style="font:7pt "Times New Roman"">
</span></span></span><u></u>18013-7 focuses on “unattended” mDL presentation, where the End-User can present mDL to the RP “over the Internet” aka HTTP/WebSocket, etc. It is WIP, not published yet, and not on international standard track, but a technical
specification track, which allow the timeframe to be a little faster: <a href="https://www.iso.org/standard/82772.html" target="_blank">
https://www.iso.org/standard/82772.html</a>. The first Working Draft is WIP.<u></u><u></u></p>
<p class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0.75in">
<u></u><span style="font-family:"Courier New""><span>o<span style="font:7pt "Times New Roman"">
</span></span></span><u></u>Issuance is out of scope for both<u></u><u></u></p>
<ul style="margin-top:0in" type="disc">
<li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">ISO/IEC 23220 series focus on mobile eID Documents, which are more general than just Driving Licences. The series is generally referred to as “building blocks” that implementor can
choose from, in comparison to 18013-5 that has mandatory to implement features that ensures that compliant implementations are interoperable by default. 23220-1 is in international standards track about to be published, while others in the series are in technical
standards track still in the Working Draft stage. <u></u><u></u></li></ul>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Now to the relationship between ISO and OIDC specifications:<u></u><u></u></p>
<ul style="margin-top:0in" type="disc">
<li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">ISO/IEC 18013-5 lists OpenID Connect Core as a normative reference. End-User can present an mDL over BLE/NFC, directly to the RP, or it can also give RP a token over BLE/NFC that RP
can exchange with an authorization code to obtain an mDL from the Issuing Authority using OpenID Connect authorization code flow.<u></u><u></u></li><ul style="margin-top:0in" type="circle">
<li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">Privacy groups have criticized the use of OpenID Connect Core in 18013-5 as being not privacy preserving because it is an “issuer call home” compared to a direct interaction between
an End-User and the RP without RP talking directly to the Issuer<u></u><u></u></li></ul>
<li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">Now to each specification in 23220 series<u></u><u></u></li><ul style="margin-top:0in" type="circle">
<li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">23220-1 defines generic system architectures of mobile eID-Systems ie enumerating interfaces between various entities involved in issuance/presentation. No reference to OIDC.<u></u><u></u></li><li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">23220-2 defines a data model of mobile eID-Systems. It includes CDDL data model using Mobile Security Object (MSO) from 18013-5, but also includes JSON-encoding of MSO and examples
of mapping MSO to W3C Verifiable Credentials and Verifiable Presentations.<u></u><u></u></li><li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">23220-3 defines an issuance/provisioning flow of mobile eID-Systems. There are ongoing discussions of potentially including OpenID for Credential Issuance specification here<u></u><u></u></li><li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">23220-4 defines a presentation flow of mobile eID-Systems. It includes device engagement (NFC/BLE) and server engagement (OIDC) from 18013-5 but also includes SIOP/OIDC4VP as a way
to transport credentials over the Internet (HTTP).<u></u><u></u></li></ul>
<li class="gmail-m_-7547610729559127106MsoListParagraph" style="margin-left:0in">ISO/IEC 18013-7 will largely rely on 23220-4. And the goal would be to include SIOP/OIDC4VP as one of the options for mDL over the Internet, but the conversations are just starting.<u></u><u></u></li></ul>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Best,<u></u><u></u></p>
<p class="MsoNormal">Kristina<u></u><u></u></p>
<p class="MsoNormal">(There are more nuances, but hope this is a good start.)<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>