Mobile Driver's License Criteria: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 163: Line 163:
* How do we know the cert applies only to the code that was actually run?
* How do we know the cert applies only to the code that was actually run?
* Assurance levels (is this implicit in the REAL ID, or is it required in all presentations)
* Assurance levels (is this implicit in the REAL ID, or is it required in all presentations)
* The FHIR spec has [https://hl7.org/fhir/safety.html Safety Check List] which include patient privacy and data sensitivity and well as consistency issues.
* Redress & Recovery (including key and ID roll-over)
* Redress & Recovery (including key and ID roll-over)
* Resilience (will this continue to work in all weather on all roads in the US and Canada)
* Resilience (will this continue to work in all weather on all roads in the US and Canada)

Revision as of 01:01, 27 April 2021

Full Title or Meme

The Mobile Driver's License Criteria for a high level of Identity and Authentication Assurance.

Context

Actors

  1. Holder - the subject of the Mobile Driver's License
  2. Reader - a device that can read and verify the mDL, which is presumably hosted in a native smart phone app
  3. Issuing Authority - typically a state motor vehicle agency (aka DMV, dept. of motor vehicles).
  4. Trust Authority - some sort of wide ranging list of valid participators - not well defined at this point.

Taxonomy

  • Caution on terms. mdoc, mDL and mDL app get conflated in the specs. The full mDL (mdoc) is seldom/never released by the app to the reader/verifier.
  • Compare there terms Verifiable Credential and Presentation Exchange from the DIF folk. The VC (like the mDL or mdoc) may be in the smartphone, but only a part is "presented" to the reader.
  • Digital identity is generally recognized as the digital representation of an individual in an electronic transaction. (from RFC).
  • An mDL is a digital representation of the identity information contained on a state-issued physical DL/ID. (from RFC).
  • Authenticate means establishing that a certain thing (e.g., mDL Data) belongs to its purported owner (e.g., mDL Holder) and has not been altered.
  • A Certificate Authority issues Digital Certificates that are used to certify the identity of parties in a digital transaction.
  • Data Freshness refers to the synchronization of mDL Data stored on a mobile device to data in a DMV’s database, within a specified time period.
  • Department of Motor Vehicles (DMV) refers to the state agency or its authorized agent responsible for issuing an mDL and for maintaining mDL data in its database.
  • Digital Certificates establish the identities of parties in an electronic transaction, such as recipients or digital signatories of encrypted data.
  • Digital Signatures are mathematical algorithms routinely used to validate the authenticity and integrity of a message.
  • Identity Proofing refers to a series of steps that a DMV executes to prove the identity of a person.
  • Identity Verification is the confirmation that identity data belongs to its purported holder.
  • Issuance includes the various processes of a DMV to approve an individual’s application for a REAL ID driver’s license or identification card.
  • An mDL is a digital representation of the information on a state-issued physical DL/ID, and is stored on, or accessed via, a mobile device.
  • mDL Data is an individual’s identity and DL/ID data that is stored and maintained in a database controlled by a DMV and may also be stored and maintained on an individual’s mDL.
  • mDL Holder refers to the owner of a mobile device that contains an mdoc (aka mDL).
  • mDL Reader refers to an electronic device that ingests mDL Data from a mobile device.
  • Offline means no live connection to the internet.
  • Online means a live connection to the internet.
  • An mDL Public Key Distributor is a trusted entity responsible for compiling and distributing Digital Certificates issued by DMVs.
  • Public Key Infrastructure (PKI) means a structure where a Certificate Authority uses Digital Certificates for Identity Proofing and for issuing, renewing, and revoking digital credentials.
  • Provisioning refers to the various steps required for a DMV to securely place an mDL onto a mobile device.
  • Token means a cryptographic key used to authenticate a person’s identity.

Use Cases

Problems

  • REAL ID has yet to approve a single state's Mobile Driver's License (mDL) for Federal access.
  • Supply Chain for components of the mDL has not been a part of existing criteria, but needs to be included based on the Solar Winds attack of government and commercial access.

The REAL ID Act

  • The Act set minimum requirements for state-issued DL/ID accepted by Federal agencies for official purposes, including accessing Federal facilities, boarding federally regulated commercial aircraft, entering nuclear power plants, etc.
  • Full enforcement of the REAL ID regulation begins October 1, 2021 (note implementation of the Real ID Act in the US has been delayed multiple times since its passage more than 15 years ago)
  • Examples of security requirements applicable to physical cards include ‘‘common machine-readable technology’’ and ‘‘security features designed to prevent tampering, counterfeiting, or duplication . for fraudulent purposes. (i.e. ISO 18013-1 plus a few embellishments.)
  • Good security practices in creating an implementing the distribution.
  • ISO 18013-5 (mDL) will need embellishments as well for the REAL ID Act. AAMVA is given official recognition in this effort.
  • For Federal agencies to accept mDLs for official purposes, an mDL ecosystem must allow for trusted and secure communications between a DMV, a mobile device, and a federal agency.
  • a system would provide functionality analogous to the physical security features required under 6 CFR 37.15 that are designed to deter forgery and counterfeiting, promote confidence in the authenticity of the DL/ID, and facilitate detection of fraud.
  • a DMV would be responsible for issuing an mDL and enabling a user’s mobile device to store and/or access mDL data.
  • An individual’s mDL Device would transmit mDL Data, or a digital ‘‘token,’’ to the reader via wireless or secure optical communication protocols.
  • the reader and mobile device would require the capability to communicate and authenticate the mDL data in at least offline (no internet connection) mode. The system would require digital security protocols to protect the confidentiality, privacy, security, and integrity of the mDL data, through its full lifecycle.
  • an mDL Holder would authorize release of relevant mDL Data from the device.
  • The communication interfaces enable the parties to exchange information and assess if the mDL Data (1) was provisioned by a trusted source (the DMV), (2) belongs to the individual asserting it, and (3) was transmitted to and received by an agency unaltered.
  • ‘Remote’’ provisioning, in contrast, does not require an individual to be physically present at a DMV location. Instead, individuals would electronically send identity verification information to the DMV to establish their identities and ownership of the target device.
  • Off-line comms needs more detail: NFC QR BLE or WiFi Aware.
  • Federal agencies cannot accept an mDL unless the agency can authenticate the identity information. This means confidence that the mDL Data came from a trusted source (the DMV), and the mDL Data was transmitted to the agency unaltered.
  • Reg establishes such ‘‘trust’’ by requiring physical DL/IDs to include physical security features on the surface of a card that are designed to deter and detect forgery and counterfeiting. As mDLs lack a physical form they cannot overtly display physical security features. Therefore, regulatory requirements for physical security features on a physical substrate need to be updated to establish comparable mDL-specific security features.
  • an mDL can be verified via two methods:
  1. Attended verification requires the physical presence of an attendant to supervise the mDL transaction.
  2. unattended verification is performed algorithmically without the presence of an attendant. Draft standard 18013–5 sets forth requirements specifically for attended verification, but does not address the unattended online model (but DHS understands this may be the subject of a future ISO/IEC project).

Responses to RFC

Here are the 15 questions from the RFC in the order requested.

1 Security generally

what security risks, including data interception, alteration, and reproduction, may arise from the use of mDLs by Federal agenciesThese are the kinds of vulnerabilities that have been identified for mDL.

  1. Issuer private keys are compromised
  2. Spoofing
    1. that is where the attacker can authenticate using another’s mDL data.
    2. It can also be that the verifier spoofs a known site the user trusts.
    3. Somehow the trust registries need to be made known to the verifier and perhaps to the user.
  3. Information Disclosure - or loss of privacy.
  4. Linking (a form of disclosure where one set of attributes are aggregated to the point where the real-world user is identified.) ( Not sure if this is in scope - we can decide later when we have more content and can remove it at that point.)
  5. Repudiation - where a user is able to deny having provided the information. (We may decide to pass on this vulnerability - we can decide later.)
  6. Denial of Service - where a user is unable to access the resource desired. Note that this includes both intentional and unintentional outages and could be considered to be a reliability issue. (We may decide out-of-scope.)
  7. Tampering - where an attacker is able to change the data in-flight.
    1. This can be just a form of Denial of Service, or
    2. This can result in spoofing one of the attributes, like age.

2 Privacy generally

what privacy concerns or benefits may arise from mDL transactions, and how DHS should address those in the REAL ID context

  1. The verifier is presumed to be unworthy to access user data until it is recognized by the user’s device.
    1. The user may decide which verifiers are trusted. It would be helpful to the user to not need to make this choice more than once so that they do not experience cognitive overload and automatically accept any site asking.
    2. The verifier can be spoofing a well known vendor and should themselves be properly verified, which is why the user’s device needs to know which trust registries are trustworthy.
    3. The verifier may have emergency powers to access user data. These types of accesses are situational in that the requester must be able to prove the role that they have at the time of the request.
      1. Law officers on duty.
      2. Paramedics (or physicians) on duty.
      3. Various branches of DHS: FEMA, ICE, TSA, etc.
  2. The link between the mDL and the verifier is unencrypted and leaks data.
  3. The storage of the mDL on the smartphone is not secure and other apps can get access to the data.
  4. The data link between the smartphone and verifier can be intercepted.
  5. The verifier maintains all the data sent to it against applicable privacy guidelines.
  6. The verifier uses holder data without informed consent (e.g. facial recognition)
  7. Data at the verifier site is not secure and is breached.
  8. The verifier inappropriately shares user private data.
  9. The verifier asks for more user data than is situationally required.
    1. The verifier must be able to understand what the profile is that is appropriate.
    2. One way would be for a set of standard profiles to be created and deployed.
    3. That would make it easier for the agency to get the right set of data for the situation.
  10. The person presenting the mDL is not the subject.
  11. The rights granted to the subject using the mDL are improperly diverted (e.g. drugs or alcohol).

3 Industry Standards

Any industry standards should be chosen describe how DHS should choose the standards, and the appropriate baseline to impose.

  1. Mobile Authentication Assurance Statement
  2. OpenID Connect

4 ISO 18013-5

evaluate current and future developments.

5 ISO 23220-3 Communication Interface Between DMV and mDL Device

evaluate current and future developments.

6 Provisioning

both in-person and remotely.

7 Storage of mDL on device

both h/w and s/w implementations

8 Data freshness

is data current.

9 IT Security Infrastructure

is PKI sufficient. Is there an alternative (like VCs and DIDs) Consider costs.

10 Alternative IT Security Solutions

Also look at Vehicle-Vehicle interchanges and Healthcare prescriptions for controlled substances.

11 Offline and Online Data Transfer Modes

mitigate security and privacy risks

12 Unattended Online mDL Verifications

how can DMVs help mitigation

13 Costs to individuals

time, effort and money. Consider other uses - (like Medicaid, fishing licenses)

14 Considerations for mDL Devices Other than Smartphones

smartwatch (maybe home healthcare?)

15 Obstacles to acceptance

(Education, Accessibility, disenfranchised and Inclusion)

Assessment Methodologies

List in no particular order

  • Black box testing
  • Fuzz testing
  • Management commitment to Code of Conduct
  • Check list - for example the HIPAA Compliance Checklist
  • Supply chain validation
  • Development methodologies
  • Bug tracking & triage criteria
  • User experience, especially te selection of good security and privacy practices
  • Notification (Consent and Breaches)

Input

Ideas collected from the Kantara team that need to be addressed somewhere in the responses.

  • Impact to ONC Trust Registry proposal
  • How do we know the cert applies only to the code that was actually run?
  • Assurance levels (is this implicit in the REAL ID, or is it required in all presentations)
  • The FHIR spec has Safety Check List which include patient privacy and data sensitivity and well as consistency issues.
  • Redress & Recovery (including key and ID roll-over)
  • Resilience (will this continue to work in all weather on all roads in the US and Canada)
  • Access by Government officials (Sovereign access (copy on the road, access to gov't buildings & TSA)
  • Privacy by sovereign entities selling our data
  • Selective release of inappropriate data - needs to be based on requirements
  • Canonical list of data by access types (in car, public health, ...) is this in scope?
  • Can there be a national credential (from state to state)
  • Other stuff - car insurance, registration, etc.
  • Guardianship & delegation (particularly if different states involved)
  • Culture (en-US) gilt - globalization internationalization localization translation
  • Jurisdiction
  • Inclusion Accessibility
  • NLETS - FirstNet
  • Donor card
  • Other uses - Medicaid, firearms, 22 types of ID in WA state.
  • Professional licenses - including access to prescribing
  • VC and DIDs
  • Attribute updates
  • Alternate identities
  • Compliance with CCPA, FTC, user consent (intention)
  • Purpose of use must not expand w/o permission
  • Sensitivity of data attributes
  • Who owns data, who controls data, can it be made into a right (is the State DMV even in scope for this response?)
  • Rights seem to evolve - privacy & right to be forgotten and extended on to property rights for ID data access
  • Are notification of changes or breaches in scope?

References