Mobile Driver's License Criteria: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 32: Line 32:
* [https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/driving-licence/digital-driver-license NIST pilot run by Thales] This page has a list (20201-10) of states that have mDL tests in progress.
* [https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/driving-licence/digital-driver-license NIST pilot run by Thales] This page has a list (20201-10) of states that have mDL tests in progress.
* [https://www.aamva.org/Mobile-Drivers-License/  AAMVA page dedicated to Mobile Driver's License (mDL)]
* [https://www.aamva.org/Mobile-Drivers-License/  AAMVA page dedicated to Mobile Driver's License (mDL)]
===Privacy Considerations===
* [https://security.googleblog.com/2020/10/privacy-preserving-features-in-mobile.html Google Privacy-preserving features in the Mobile Driving License] (2020-10-28) Which depends on the following Android 11 API3 0 Identity Credential features, However a keystore backed version will run on API 24 and later.
** [https://developer.android.com/reference/android/security/identity/IdentityCredentialStore IdentityCredentialStore] first available in [https://developer.android.com/reference/kotlin/androidx/security/identity/IdentityCredential API 30].
** [https://developer.android.com/jetpack/androidx/releases/security#security-identity-credential_version_100_2 Android Jet-pack] (2020-08-19) Security-Identity-Credential Version 1.0.0-alpha01 (and later), compatible with the data structures in the  ISO 18013-5 Personal identification — ISO-compliant driving license — Part 5: Mobile driving licence (mDL) application
===Consent and Notice===
The spec is unclear how exactly how the mDL in a smartphone would provide notice or consent. The following are an expectation of a user.
# Who wants to know - hopefully this would be a trustworthy statement of the reader's owner.
# What will they do with the information?
# What data is requested.  Most interesting is the picture and ID #.
Notice in a case like this is difficult as the standard does not even require the mDL reader from reporting the name of the entity requesting the id. Assuming that it did the question is whether that would constitute notice or if some sort of consent receipt would be required.


==References==
==References==

Revision as of 19:22, 19 April 2021

Full Title or Meme

The Mobile Driver's License Criteria for a high level of Identity and Authentication Assurance.

Context

Actors

  1. Holder - the subject of the Mobile Driver's License
  2. Reader - a device that can read and verify the mDL, which is presumably hosted in a native smart phone app
  3. Issuing Authority - typically a state motor vehicle agency.
  4. Trust Authority - some sort of wide ranging list of valid participators - not well defined at this point.
  • Caution on terms. mDL and mDL app get conflated in the specs. The full mDL is seldom/never released by the app to the reader/verifier.
  • Compare there terms Verifiable Credential and Presentation Exchange from the DIF folk. The VC (like the mDL or mdoc) may be in the smartphone, but only a part is "presented" to the reader.

Use Cases

Problems

Solutions

References