Mobile Driver's License Criteria
Full Title or Meme
The Mobile Driver's License Criteria for a high level of Identity and Authentication Assurance.
Context
- The issuance of ISO 18013-5 for a Mobile Driver's License an increasing level of trials towards getting driver's licenses installed on Smartphones.
- The US Office of Strategy, Policy and Planns, of the Department of Homeland Security (DHS) has issued a RFC for security standards and requirements to enable Federal agencies to accept them if compliant with the REAL ID. Comments are due by 2021-06-18.
- This includes comments relating to the economic, privacy, security, environmental, energy, or federalism impacts that might result from a future rulemaking based on input received as a result of this RFI.
- Also see the companion document on Mobile Driver's License for a view that includes issues like privacy and consent, which are not addressed here.
- There are 49 states that accept driver's license on smartphones for some purposes.
- Report from the Privacy & Identity Protection in mobile Driving License ecosystems Discussion Group working draft.
- Google announced (2020-11-04) privacy-preserving features in Android's Mobile Driving License framework including the credential API in Android 11.
- The Kantara's discussion group on Privacy and Identity in the mobile driver' license aka PImDL focus is now on North America where individual provinces and states are responsible for issuing Identity Cards based for a wide variety of purposes beyond just the attributes present on a driver's license.
Actors
- Holder - the subject of the Mobile Driver's License
- Reader - a device that can read and verify the mDL, which is presumably hosted in a native smart phone app
- Issuing Authority - typically a state motor vehicle agency.
- Trust Authority - some sort of wide ranging list of valid participators - not well defined at this point.
Taxonomy
- Caution on terms. mDL and mDL app get conflated in the specs. The full mDL is seldom/never released by the app to the reader/verifier.
- Compare there terms Verifiable Credential and Presentation Exchange from the DIF folk. The VC (like the mDL or mdoc) may be in the smartphone, but only a part is "presented" to the reader.
- Digital identity is generally recognized as the digital representation of an individual in an electronic transaction. (from RFC).
- An mDL is a digital representation of the identity information contained on a state-issued physical DL/ID. (from RFC).
- Authenticate means establishing that a certain thing (e.g., mDL Data) belongs to its purported owner (e.g., mDL Holder) and has not been altered.
- A Certificate Authority issues Digital Certificates that are used to certify the identity of parties in a digital transaction.
- Data Freshness refers to the synchronization of mDL Data stored on a mobile device to data in a DMV’s database, within a specified time period.
- Department of Motor Vehicles (DMV) refers to the state agency or its authorized agent responsible for issuing an mDL and for maintaining mDL data in its database.
- Digital Certificates establish the identities of parties in an electronic transaction, such as recipients or digital signatories of encrypted data.
- Digital Signatures are mathematical algorithms routinely used to validate the authenticity and integrity of a message.
- Identity Proofing refers to a series of steps that a DMV executes to prove the identity of a person.
- Identity Verification is the confirmation that identity data belongs to its purported holder.
- Issuance includes the various processes of a DMV to approve an individual’s application for a REAL ID driver’s license or identification card.
- An mDL is a digital representation of the information on a state-issued physical DL/ID, and is stored on, or accessed via, a mobile device.
- mDL Data is an individual’s identity and DL/ID data that is stored and maintained in a database controlled by a DMV and may also be stored and maintained on an individual’s mDL.
- mDL Holder refers to the owner of a mobile device.
- mDL Reader refers to an electronic device that ingests mDL Data from a mobile device.
- Offline means no live connection to the internet.
- Online means a live connection to the internet.
- An mDL Public Key Distributor is a trusted entity responsible for compiling and distributing Digital Certificates issued by DMVs.
- Public Key Infrastructure (PKI) means a structure where a Certificate Authority uses Digital Certificates for Identity Proofing and for issuing, renewing, and revoking digital credentials.
- Provisioning refers to the various steps required for a DMV to securely place an mDL onto a mobile device.
- Token means a cryptographic key used to authenticate a person’s identity.
Use Cases
- TSA acceptance at transportation check-in lines.
- Building access for many Federal buildings and spaces controlled by regulation like Nuclear power plants.
- Mobile_Driver's License in Healthcare
- State Issued ID for Healthcare on this wiki lists other uses states might have for the mDL standard format.
- Currently kiosks have been deployed that accept ISO 18013 compatible Driver's License cards. The same capability is likely to be required for ISO 18013-5 Mobile Driver's Licenses.
Problems
- REAL ID has yet to approve a single state's Mobile Driver's License (mDL) for Federal access.
- Supply Chain for components of the mDL has not been a part of existing criteria, but needs to be included based on the Solar Winds attack of government and commercial access.
The REAL ID Act
- The Act set minimum requirements for state-issued DL/ID accepted by Federal agencies for official purposes, including accessing Federal facilities, boarding federally regulated commercial aircraft, entering nuclear power plants, etc.
- Full enforcement of the REAL ID regulation begins October 1, 2021 (note that his date has already been extended innumerable times.)
- Examples of security requirements applicable to physical cards include ‘‘common machine-readable technology’’ and ‘‘security features designed to prevent tampering, counterfeiting, or duplication . for fraudulent purposes. (i.e. ISO 18013-1 plus a few embellishments.)
- Good security practices in creating an implementing the distribution.
- ISO 18013-5 (mDL) will need embellishments as well for the REAL ID Act. AAMVA is given official recognition in this effort.
- For Federal agencies to accept mDLs for official purposes, an mDL ecosystem must allow for trusted and secure communications between a DMV, a mobile device, and a federal agency.
- a system would provide functionality analogous to the physical security features required under 6 CFR 37.15 that are designed to deter forgery and counterfeiting, promote confidence in the authenticity of the DL/ID, and facilitate detection of fraud.
- a DMV would be responsible for issuing an mDL and enabling a user’s mobile device to store and/or access mDL data.
- An individual’s mDL Device would transmit mDL Data, or a digital ‘‘token,’’ to the reader via wireless or secure optical communication protocols.
- the reader and mobile device would require the capability to communicate and authenticate the mDL data in at least offline (no internet connection) mode. The system would require digital security protocols to protect the confidentiality, privacy, security, and integrity of the mDL data, through its full lifecycle.
- an mDL Holder would authorize release of relevant mDL Data from the device.
- The communication interfaces enable the parties to exchange information and assess if the mDL Data (1) was provisioned by a trusted source (the DMV), (2) belongs to the individual asserting it, and (3) was transmitted to and received by an agency unaltered.
- ‘Remote’’ provisioning, in contrast, does not require an individual to be physically present at a DMV location. Instead, individuals would electronically send identity verification information to the DMV to establish their identities and ownership of the target device.
- Off-line comms needs more detail: NFC QR BLE or WiFi Aware.
- Federal agencies cannot accept an mDL unless the agency can authenticate the identity information. This means confidence that the mDL Data came from a trusted source (the DMV), and the mDL Data was transmitted to the agency unaltered.
- Reg establishes such ‘‘trust’’ by requiring physical DL/IDs to include physical security features on the surface of a card that are designed to deter and detect forgery and counterfeiting. As mDLs lack a physical form they cannot overtly display physical security features. Therefore, regulatory requirements for physical security features on a physical substrate need to be updated to establish comparable mDL-specific security features.
- an mDL can be verified via two methods:
- Attended verification requires the physical presence of an attendant to supervise the mDL transaction.
- unattended verification is performed algorithmically without the presence of an attendant. Draft standard 18013–5 sets forth requirements specifically for attended verification, but does not address the unattended online model (but DHS understands this may be the subject of a future ISO/IEC project).
Responses to RFC
There are the 15 questions from the RFC
1 Security generally
what security risks, including data interception, alteration, and reproduction, may arise from the use of mDLs by Federal agencies
2 Privacy generally
what privacy concerns or benefits may arise from mDL transactions, and how DHS should address those in the REAL ID context
3 Industry Standards
f an industry standard should be chosen describe how DHS should choose the standards, and the appropriate baseline to impose.
4 ISO 18013-5
evaluate current and future developments.
5 ISO 23220-3 Communication Interface Between DMV and mDL Device
evaluate current and future developments.
6 Provisioning
both in-person and remotely.
7 Storage of mDL on device
both h/w and s/w implementations
8 Data freshness
is data current.
9 IT Security Infrastructure
is PKI sufficient. Is there an alternative (like VCs and DIDs) Consider costs.
10 Alternative IT Security Solutions
Also look at Vehicle-Vehicle interchanges and Healthcare prescriptions for controlled substances.
11 Offline and Online Data Transfer Modes
mitigate security and privacy risks
12 Unattended Online mDL Verifications
how can DMVs help mitigation
13 Costs to individuals
time, effort and money. Consider other used - (like Medicaid, fishing licenses)
14 Considerations for mDL Devices Other than Smartphones
smartwatch (maybe home healthcare?)
15 Obstacles to acceptance
(Education, Accessibility, disenfranchised and Inclusion)
Input
Ideas collected from the Kantara team that need to be addressed somewhere in the responses.
- Impact to ONC proposal
- Assurance levels
- Redress & Recovery
- Resilience
- Access by Government officials (Sovereign access (copy on the road, access to gov't buildings & TSA)
- Privacy by sovereign entities selling our data
- Selective release of inappropriate data - needs to be based on requirements
- Canonical list of data by access types (in car, public health, ...) is this in scope?
- Can there be a national credential (from state to state)
- Other stuff - car insurance, registration, etc.
- Guardianship & delegation (particularly if different states involved)
- Culture (en-US) gilt - globalization internationalization localization translation
- Jurisdiction
- Inclusion Accessibility
- NLETS - FirstNet
- Donor card
- Other uses - Medicaid, firearms, 22 types of ID in WA state.
- Professional licenses - including access to prescribing
- VC and DIDs
- Attribute updates
- Alternate identities
- Compliance with CCPA, FTC, user consent (intention)
- Purpose of use must not expanse w/o permission
- Sensitivity of data attributes
- Who owns data, who controls data, can it be made into a right
- Rights seem to evolve - privacy & right to be forgotten and extended on to property rights for ID data access