Driver’s licenses serve more use cases for us than simply proving our capability to operate a vehicle–many people use their driver’s license as their primary form of identification. As we shift to a digital-first world, people will need credentials to represent all facets of their identity digitally in a secure way. Whether it be proving identity to apply for a loan or purchasing a controlled substance online, it’s becoming increasingly important and necessary for entities to offer people the option to present a digitally issued ID document remotely.
This means that it is critical to build mobile driver’s license (mDL) solutions using standardized data formats, so verifiers across different geographies and industries can use a consistent framework to confirm a person’s identity. To ensure the secure and interoperable use of these digital credentials, international standards are being developed and tested. The August 2023 ISO/IEC 18013-7 Interoperability Event, organized by SpruceID, was a significant milestone in this ongoing journey.
We’re delighted to have hosted a successful, fully-remote, and asynchronous interoperability test event for mobile driver’s license implementations. Read on to learn more about ISO/IEC 18013-7, a recap of the interoperability event, and how the results and findings are being used to drive the digital identity industry forward.
A Brief Introduction to ISO/IEC 18013-7
ISO/IEC JTC 1/SC 17 is the working group that defines standards for motor vehicle driver’s licenses and related documents, to provide a common technical framework and promote the safe and secure use of this technology. The 18013-5 standard specified by ISO/IEC JTC 1/SC 17 defines requirements for the security, data elements, and information exchange of mobile driving licenses (mDL) between the mobile device and authorized parties while upholding user data protection and safeguarding driver privacy.
ISO/IEC 18013-5 focuses on attended in-person use cases where parties are in close proximity during the presentation of a digitally issued ID document. After introducing the ISO/IEC 18013-5 standard, ISO/IEC JTC 1/SC17 took another step forward by publishing a Committee Draft consultation of ISO/IEC 18013-7, a draft technical specification that focuses on unattended or fully online use cases of mDL where parties are remotely connected at the time of presentation.
The objective of our interoperability event was to provide a collaboration forum for implementers of ISO/IEC 18013-7 to come together and test their respective solutions to drive forward cross-industry interoperability and adoption while accelerating feedback and clarity for implementations of the standards.
Joining Forces for Testing
The Interoperability Event was hosted remotely, with an asynchronous testing window spanning three weeks. This allowed participants enough time to actively test and collaborate iteratively with other implementers to optimize their own implementations and use cases.
The event was open for all implementers of 18013-7 to participate without any restrictions regarding organization size or any particular working group membership. Participants came from a variety of backgrounds, including both public and private sectors, across multiple geographies. Any observers interested in understanding the maturity and adoption of the draft standard were also welcome to join and listen in.
The participating mDL reader implementers included: Bundesdruckerei GmbH, Credence ID, Google, HID Global, ImproveID, MyNextID, the National Institute of Standards and Technology (NIST), Okta, OneProof, Panasonic, Ping Identity, Samsung, Scytales, SpruceID, and Thales.
The participating mDL implementers included: Bundesdruckerei GmbH, Google, HID Global, ImproveID, MyNextID, NEC, OneProof, Panasonic, Samsung, Scytales, SpruceID (jointly with the State of California Department of Motor Vehicles), and Thales.
Testing participants were encouraged to test both Rest API and OpenID4VP implementations to inform recommendations for refining the clarity of the technical specification related to both protocols.
Results and Reflections
There were many takeaways and learnings from the test event that will ultimately help to inform both the standard and interoperability moving forward. Notably, the draft specifications were found to have no major issues necessitating normative changes. Most interoperability challenges were largely a result of updates to the draft documents in advance of the interoperability event, which some participants did not have sufficient time or resources to address. However, the successful resolution of these issues demonstrated a shared commitment to fostering interoperability and will help improve this documentation in the future.
Feedback from the event, along with preliminary aggregate, anonymized test results, and troubleshooting, was presented to ISO/IEC JTC1/SC17 WG10 in Singapore. The findings and resolutions were documented as N2349 in the ISO Global Directory. So far, these insights have been incorporated into the latest version of ISO/IEC 18013-7, submitted as N2356. N2356 is the first draft of a Technical Specification, which includes all the improvements and insights we've gathered during our test event to enhance the specification for better interoperability.
If you’re interested in taking a deeper dive into these findings, a comprehensive event results publication can be found here.
Onwards and Upwards for 18013-7
We look forward to continuing to play a role in advancing the 18013-7 standard and other digital identity standards. The August 2023 ISO/IEC 18013-7 Interoperability Event was a testament to the collective effort to advance standards for mobile driver's licenses, and how much progress we can make together to eventually bring this standard to life for public use. The successful interoperability demonstrations of mobile driver’s licenses that can be presented and verified remotely over the internet will introduce a new class of use cases for verifiable digital identity and evolve the way we use mobile driver’s licenses today.
At SpruceID, our mission is to let users control their data across all digital interactions. As digital identity technologies, such as mobile driver's licenses, become more pervasive and usable for online user experiences, it is important to be mindful of introducing privacy-preserving capabilities from their inception. To that end, we think carefully about technology mitigations for privacy risks and concerns raised by civil liberties organizations, such as "phoning home," in the mDL implementations that SpruceID works on. You can learn more in our knowledge base.
We’d like to thank all implementers for taking the time to participate in the test event. This event marked a crucial step towards creating a digital identification landscape that is secure, interoperable, and universally accessible. As we continue our journey towards fully realizing the potential of mDLs, collaborative, open events like these play a vital role in shaping the future of digital identification.
About SpruceID: At SpruceID, our mission is to let users control their data across all digital interactions.