Mobile Driver's License Criteria

From IDESG Wiki
Jump to navigation Jump to search

Full Title or Meme

The Mobile Driver's License Criteria for a high level of Identity and Authentication Assurance.

Context

Actors

  1. Holder - the subject of the Mobile Driver's License
  2. Reader - a device that can read and verify the mDL, which is presumably hosted in a native smart phone app
  3. Issuing Authority - typically a state motor vehicle agency.
  4. Trust Authority - some sort of wide ranging list of valid participators - not well defined at this point.
  • Caution on terms. mDL and mDL app get conflated in the specs. The full mDL is seldom/never released by the app to the reader/verifier.
  • Compare there terms Verifiable Credential and Presentation Exchange from the DIF folk. The VC (like the mDL or mdoc) may be in the smartphone, but only a part is "presented" to the reader.
  • Digital identity is generally recognized as the digital representation of an individual in an electronic transaction. (from RFC).
  • An mDL is a digital representation of the identity information contained on a state-issued physical DL/ID. (from RFC).
  • Authenticate means establishing that a certain thing (e.g., mDL Data) belongs to its purported owner (e.g., mDL Holder) and has not been altered.
  • A Certificate Authority issues Digital Certificates that are used to certify the identity of parties in a digital transaction.
  • Data Freshness refers to the synchronization of mDL Data stored on a mobile device to data in a DMV’s database, within a specified time period.
  • Department of Motor Vehicles (DMV) refers to the state agency or its authorized agent responsible for issuing an mDL and for maintaining mDL data in its database.
  • Digital Certificates establish the identities of parties in an electronic transaction, such as recipients or digital signatories of encrypted data.
  • Digital Signatures are mathematical algorithms routinely used to validate the authenticity and integrity of a message.
  • Identity Proofing refers to a series of steps that a DMV executes to prove the identity of a person.
  • Identity Verification is the confirmation that identity data belongs to its purported holder.
  • Issuance includes the various processes of a DMV to approve an individual’s application for a REAL ID driver’s license or identification card.
  • An mDL is a digital representation of the information on a state-issued physical DL/ID, and is stored on, or accessed via, a mobile device.
  • mDL Data is an individual’s identity and DL/ID data that is stored and maintained in a database controlled by a DMV and may also be stored and maintained on an individual’s mDL.
  • mDL Holder refers to the owner of a mobile device.
  • mDL Reader refers to an electronic device that ingests mDL Data from a mobile device.
  • Offline means no live connection to the internet.
  • Online means a live connection to the internet.
  • An mDL Public Key Distributor is a trusted entity responsible for compiling and distributing Digital Certificates issued by DMVs.
  • Public Key Infrastructure (PKI) means a structure where a Certificate Authority uses Digital Certificates for Identity Proofing and for issuing, renewing, and revoking digital credentials.
  • Provisioning refers to the various steps required for a DMV to securely place an mDL onto a mobile device.
  • Token means a cryptographic key used to authenticate a person’s identity.

Use Cases

Problems

  • REAL ID has yet to approve a single state's Mobile Driver's License (mDL) for Federal access.
  • Supply Chain for components of the mDL has not been a part of existing criteria, but needs to be included based on the Solar Winds attack of government and commercial access.

The REAL ID Act

  • The Act set minimum requirements for state-issued DL/ID accepted by Federal agencies for official purposes, including accessing Federal facilities, boarding federally regulated commercial aircraft, entering nuclear power plants, etc.
  • Full enforcement of the REAL ID regulation begins October 1, 2021 (note that his date has already been extended innumerable times.)
  • Examples of security requirements applicable to physical cards include ‘‘common machine-readable technology’’ and ‘‘security features designed to prevent tampering, counterfeiting, or duplication . for fraudulent purposes. (i.e. ISO 18013-1 plus a few embellishments.)
  • Good security practices in creating an implementing the distribution.
  • ISO 18013-5 (mDL) will need embellishments as well for the REAL ID Act. AAMVA is given official recognition in this effort.

Responses to RFC

References