ISO/IEC 18013-5 vs Self-Sovereign Identity: A proposal for an mDL Verifiable Credential

In Europe, the ongoing work on eIDAS 2.0 is aimed at catalyzing the next generation of digital identity on the continent. Simultaneously on the digital mobility side of things, the Passau Declaration saw EU and EFTA Ministers of Transport come together to lay the roadmap for the mobility sector of the future in Europe. Consequently, the 13th update to the EU Driving License Directive, slated for launch in summer 2022 is set to lay the foundations for the cross-border recognition of mobile driving licenses (mDLs) on the continent.  

Making a European Digital Identity Wallet and mobile driving licenses a reality however requires an agreement on the technical standards that are a necessary pre-requisite for interoperability across borders. ISO/IEC 18013-5 (henceforth, “18013-5” for simplicity) and self-sovereign identity (SSI) as outlined by the W3C have emerged as the two dominant standards shaping the future of digital identity in Europe and beyond. Digital driving licenses have been recognized as a priority use case under the European Digital Identity Framework. Yet on the technical side, 18013-5 and SSI standards are seemingly incompatible. Combining our unique expertise with both standards, we propose possible solutions which reconcile ISO compliant mDL with the privacy protections offered by verifiable credentials.  

ISO/IEC 18013-5 vs SSI: Key points of difference

While a direct comparison of 18013-5 with SSI specifications (W3C’s Verifiable Credentials & Decentralized Identifiers) is not entirely appropriate, in the context of government identity programs we see it as useful to compare them on the following parameters – background, credential data model & trust anchor and transmission protocols.  

Background

Developed by a global working group of members of the International Standards Organization (ISO), the ISO/IEC 18013 family of standards specify the design requirements and the data content of driving licenses. After nearly a decade of work by the Working Group 10, the 18013-5 standard specifying technical and other protocols for mobile driving licenses was published in September 2021. The drafting of the standard saw the coming together of large companies in the field of identity technologies, big-tech players including Google, Apple and Microsoft and road administration agencies from across the world. Through the course of the drafting, some of the participants also developed test mDL implementations to evaluate the interoperability of mDLs in practice, informing future drafts of the document. The result is a published standard which lays out a detailed specification for mobile driving licenses based on mature and proven technologies. Following the publication, Apple has been quick to move in the US, with residents of Arizona now able to store their mDL in their Apple Wallets. 10 more states are expected to make mDLs available on iPhones to their residents soon.

SSI on the other hand is a philosophy and a technical framework deriving from it that seeks to empower users with control over their digital identity, starting from its creation to its usage and deletion; all in a privacy preserving fashion. Members of the World Wide Web Consortium (W3C) started work on the technical standards to enable SSI in 2017. In contrast with 18013-5, the SSI standards saw several start-ups, academics and independent digital identity experts participate in the drafting process alongside big tech players such as Microsoft. The openness of the community also meant that since the first adoption of VC specification as a W3C recommendation, a plethora of implementations began to emerge around the world. Most of this work resulted in foundational infrastructure, frameworks and libraries being published under open-source licenses, thereby spurring further innovation.

In conclusion, SSI has seen much broader open innovation and continues to evolve rapidly driven by an active community of developers.

Credential data model and trust anchors

On a high-level both the ISO mDL credential and VCs are composed of three main components: credential metadata, identity attributes (claims) and cryptographic material which allows a holder to prove the authenticity of presented data to a verifier. The main point of difference in the two standards lies in the cryptographic material contained in the credential.

In the case of 18013-5, the cryptographic material is contained in the Mobile Security Object (MSO). The MSO and all the claims of the mDL subject are signed by the issuing authority’s private key. The corresponding public key is used to perform issuer data authentication when an mDL is presented to a reader. All the public keys are bound to their corresponding identities using x.509 certificates which must be compiled and maintained by a certification authority (VICAL provider in the mDL context). The MSO also contains timestamps of the last update of the mDL from the issuing authority’s infrastructure, which allows and mDL reader to determine the freshness of the presented data. The mDL credential can be a correlating credential which means that the license is bound to an identifier which is revealed every time they present the credential, putting the holder at risk of being tracked across services.

In the case of SSI, there are three dominant VC types – JWT, JSON-LD and Anoncreds. Procivis’ SSI implementation leverages the latter as it is the most privacy preserving of the three. Like the mDL credential, Anoncreds contains credential metadata and claims which are signed using the issuer’s private keys. The corresponding public keys must be published to a trust list (verifiable data registry) which may be maintained by a traditional CA or alternatively be anchored on a distributed ledger or a blockchain. Anoncreds is based on Camenisch-Lysyanskaya Signatures (CL Signatures) which date back to 2002, predating SSI. This also enables Zero Knowledge Predicates (>,<,>=,<=), enabling users to prove that their claims fulfil certain criteria without revealing the entire claim, for example “Alice has a salary > 3x”. Finally, Anoncreds support non-correlating identifiers which means that a unique identifier is created for every connection that a holder establishes with a verifier. This mitigates the privacy risk of user-profiling which comes with using single identifiers with multiple online services.

In conclusion, given their non-correlating properties VCs are superior to mDL credentials in preserving the privacy of users.

 Transmission protocols

18013-5 specifies two main types of data retrieval by an mDL reader from an mDL holder– device retrieval and server retrieval. In the case of device retrieval, the mDL holder does not need to be connected to the internet and can transmit their mDL data via NFC, WiFi Aware or Bluetooth Low Energy. Alternatively, an mDL reader can also request a server retrieval token from the mDL holder which may then be used by the reader to retrieve the data directly from the IA infrastructure based on OpenID Connect or WebAPI flows.

In the SSI case, the most prominent transmission protocol is DIDComm Messaging which builds upon the decentralized design of DIDs. DIDComm is a message-based, asynchronous protocol which means that data can be transmitted intermittently without the timeouts typical of mobile and web services today. This enables data to be transmitted intermittently via the internet or peer-to-peer, which is desirable since SSI agents are often mobile devices which may not have constant internet connectivity. DIDComm can be extended to support transmission via the mDL protocols mentioned above.

Server retrieval according to the mDL standard presents a privacy risk to the holder by allowing the issuing authority to have complete visibility over all the services that an mDL may be used to authenticate to. While this might seem trivial in today’s context, in a future world where digital identity credentials are broadly used to access a plethora of public and private sector services, this would enable issuing authorities to build comprehensive user profiles of holders. This would open up honeypots for attackers and still worse could serve as weapon for discrimination in the hands of politically motivated actors, undermining the very foundations of our society.    

ISO/IEC 18013-5 vs SSI: Advantages and disadvantages in a nutshell

In conclusion, the two standards both present their advantages and disadvantages, which have been summarised below

Reconciling ISO/IEC 18013-5 with SSI: Issuing an mDL as an Anoncreds VC

Combining the benefits offered by both standards, Procivis’ proposal for an ISO compliant mDL verifiable credential is as follows:  

• An mDL is issued as a verifiable credential including ISO 18013-1 data elements and mDL Mobile Security Object (MSO) to an SSI wallet
• The MSO of the mDL credential will be periodically (periodicity to be specified by the IA) updated to prove freshness of data to an mDL reader.
• The SSI wallet will support offline interfaces (NFC & BLE) as specified in ISO 18013-5.
• We propose excluding the mDL online mode due its privacy issues.
• mDL credentials will be revoked as per Hyperledger Indy revocation protocols.

Combining the above mentioned properties, an SSI wallet holder would be able to present mDL VCs to an 18013-5 compliant mDL reader in a verifiable fashion.

by Sven Stucki, Pavel Zarecky and Adithya Pradeep

 ‍

Here, we offer a first look into what an 18013-5 compliant mDL VC could look like. With this development, Procivis and our parent company, Orell Füssli are uniquely positioned in combining expertise across the driving license spectrum with producing ISO compliant driving licenses and delivering mobile driving licenses which are both ISO and SSI compliant.