Mobile Driver's License Criteria: Difference between revisions

Full Title or Meme

The Mobile Driver's License Criteria for a high level of Identity and Authentication Assurance.

Context

• The issuance of ISO 18013-5 for a Mobile Driver's License an increasing level of trials towards getting driver's licenses installed on Smartphones.
• The US Office of Strategy, Policy and Planns, of the Department of Homeland Security (DHS) has issued a RFC for security standards and requirements to enable Federal agencies to accept them if compliant with the REAL ID. Comments are due by 2021-06-18.
  • This includes comments relating to the economic, privacy, security, environmental, energy, or federalism impacts that might result from a future rulemaking based on input received as a result of this RFI.
• Also see the companion document on Mobile Driver's License for a view that includes issues like privacy and consent, which are not addressed here.
• There are 49 states that accept driver's license on smartphones for some purposes.
• Report from the Privacy & Identity Protection in mobile Driving License ecosystems Discussion Group working draft.
• Google announced (2020-11-04) privacy-preserving features in Android's Mobile Driving License framework including the credential API in Android 11.
• The Kantara's discussion group on Privacy and Identity in the mobile driver' license aka PImDL focus is now on North America where individual provinces and states are responsible for issuing Identity Cards based for a wide variety of purposes beyond just the attributes present on a driver's license.

Actors

1. Holder - the subject of the Mobile Driver's License
2. Reader - a device that can read and verify the mDL, which is presumably hosted in a native smart phone app
3. Issuing Authority - typically a state motor vehicle agency.
4. Trust Authority - some sort of wide ranging list of valid participators - not well defined at this point.

Taxonomy

• Caution on terms. mDL and mDL app get conflated in the specs. The full mDL is seldom/never released by the app to the reader/verifier.
• Compare there terms Verifiable Credential and Presentation Exchange from the DIF folk. The VC (like the mDL or mdoc) may be in the smartphone, but only a part is "presented" to the reader.
• Digital identity is generally recognized as the digital representation of an individual in an electronic transaction. (from RFC).
• An mDL is a digital representation of the identity information contained on a state-issued physical DL/ID. (from RFC).
• Authenticate means establishing that a certain thing (e.g., mDL Data) belongs to its purported owner (e.g., mDL Holder) and has not been altered.
• A Certificate Authority issues Digital Certificates that are used to certify the identity of parties in a digital transaction.
• Data Freshness refers to the synchronization of mDL Data stored on a mobile device to data in a DMV’s database, within a specified time period.
• Department of Motor Vehicles (DMV) refers to the state agency or its authorized agent responsible for issuing an mDL and for maintaining mDL data in its database.
• Digital Certificates establish the identities of parties in an electronic transaction, such as recipients or digital signatories of encrypted data.
• Digital Signatures are mathematical algorithms routinely used to validate the authenticity and integrity of a message.
• Identity Proofing refers to a series of steps that a DMV executes to prove the identity of a person.
• Identity Verification is the confirmation that identity data belongs to its purported holder.
• Issuance includes the various processes of a DMV to approve an individual’s application for a REAL ID driver’s license or identification card.
• An mDL is a digital representation of the information on a state-issued physical DL/ID, and is stored on, or accessed via, a mobile device.
• mDL Data is an individual’s identity and DL/ID data that is stored and maintained in a database controlled by a DMV and may also be stored and maintained on an individual’s mDL.
• mDL Holder refers to the owner of a mobile device.
• mDL Reader refers to an electronic device that ingests mDL Data from a mobile device.
• Offline means no live connection to the internet.
• Online means a live connection to the internet.
• An mDL Public Key Distributor is a trusted entity responsible for compiling and distributing Digital Certificates issued by DMVs.
• Public Key Infrastructure (PKI) means a structure where a Certificate Authority uses Digital Certificates for Identity Proofing and for issuing, renewing, and revoking digital credentials.
• Provisioning refers to the various steps required for a DMV to securely place an mDL onto a mobile device.
• Token means a cryptographic key used to authenticate a person’s identity.

Use Cases

• TSA acceptance at transportation check-in lines.
• Building access for many Federal buildings.
• Mobile_Driver's License in Healthcare
• State Issued ID for Healthcare on this wiki lists other uses states might have for the mDL standard format.
• Currently kiosks have been deployed that accept ISO 18013 compatible Driver's License cards. The same capability is likely to be required for ISO 18013-5 Mobile Driver's Licenses.

Problems

• REAL ID has yet to approve a single state's Mobile Driver's License (mDL) for Federal access.
• Supply Chain for components of the mDL has not been a part of existing criteria, but needs to be included based on the Solar Winds attack of government and commercial access.

The REAL ID Act

• The Act set minimum requirements for state-issued DL/ID accepted by Federal agencies for official purposes, including accessing Federal facilities, boarding federally regulated commercial aircraft, entering nuclear power plants, etc.
• Full enforcement of the REAL ID regulation begins October 1, 2021 (note that his date has already been extended innumerable times.)
• Examples of security requirements applicable to physical cards include ‘‘common machine-readable technology’’ and ‘‘security features designed to prevent tampering, counterfeiting, or duplication . for fraudulent purposes. (i.e. ISO 18013-1 plus a few embellishments.)
• Good security practices in creating an implementing the distribution.
• ISO 18013-5 (mDL) will need embellishments as well for the REAL ID Act. AAMVA is given official recognition in this effort.
• For Federal agencies to accept mDLs for official purposes, an mDL ecosystem must allow for trusted and secure communications between a DMV, a mobile device, and a federal agency.
• a system would provide functionality analogous to the physical security features required under 6 CFR 37.15 that are designed to deter forgery and counterfeiting, promote confidence in the authenticity of the DL/ID, and facilitate detection of fraud.
• a DMV would be responsible for issuing an mDL and enabling a user’s mobile device to store and/or access mDL data.
• An individual’s mDL Device would transmit mDL Data, or a digital ‘‘token,’’ to the reader via wireless or secure optical communication protocols.
• the reader and mobile device would require the capability to communicate and authenticate the mDL data in at least offline (no internet connection) mode. The system would require digital security protocols to protect the confidentiality, privacy, security, and integrity of the mDL data, through its full lifecycle.

Responses to RFC

References

• nice description on Medium
• Pew Research mobile fact sheet
• review the mDL resources available from the Secure Technology Alliance on the mDLConnection website
• What does REAL-ID Act “enforcement” really mean? The Identity Project.