ISO’s mDL standard can’t guarantee issuer trustworthiness

The fear that the server retrieval capability supported by the ISO/IEC 18013 standard for mobile driver’s licenses (mDLs) could be activated without the consent of the digital ID’s holder to “phone home” and track their activity has ignited a public debate.

But some within the standards-building community are frustrated by what they see as a concern about issuer trustworthiness, and therefore the legal framework behind the digital ID, being presented as a problem with the standard.

Austroads National Harmonisation Lead on Digital Identity Christopher Goh, discussing the matter with Biometric Update over email in his capacity as a subject matter expert, acknowledges shortcomings in the way the standards community has communicated about the issue, and dealt with challenges related to the complexity of its processes and the need for open dialogue during the discussion phase of standard formation. Goh is

Goh commends those taking a principles stand in defense of privacy, but asks that they work with the ISO community to “try to understand the context of what is being delivered,” help iterate its development, and improve it.

He further suggests that considering the reason why server retrieval was included in the standard should come before criticism of the decision.

Why is server retrieval in the standard?

Server retrieval was and remains very common for certain kinds of transactions, such as credit cards purchases.

“Most digital wallets were propagated by an API which was direct to source (and many are still today) and the culture of a federated identity where there was an IDP required a reverification back to the provider of the identity was still a requirement,” Goh writes. “In fact if you’re using SAML or OIDC today there is a verification back to the IDP to verify you are still current and data/attestations can be verified. So now, server retrieval, in the context of the protocol/tokenised way we subsequently included, is alive and well and if you’re using a version of your governments online login, it already uses the same technology.”

The online transmission or server retrieval mode, which is not necessary to comply with the standard, was included “to meet the needs of some international stakeholders,” Goh writes.

“The irony of this whole debate is that WG10 (Working Group 10) wanted to define the requirements of server retrieval to provide security protections for customers by including it in the standard.  This was to minimize rogue operators using their version of ‘server retrieval’ without adequate measures. If WG10 didn’t include it, Anyone could still implement (as they do today) some form of server retrieval.  The aspiration was to ensure that the non (emphasis in original) mandatory use of server retrieval was implemented well.”

How it works

Server retrieval is included in the standard for authenticated verification of data that has already been provided, according to Goh, rather than sending new data back to the issuer.

Goh argues that for many non-identity verification uses of Verifiable Credentials, such as the credit card example above, server retrieval is appropriate, and the standard should support those applications.

“No issuing authority in their right mind would open up their system of record to write back from the internet (least of all from a relying party) and create a huge security risk and vector into their system,” he argues. “Asserting that this allows tracking et cetera I think it is a great sound bite but pretty much defies all possible logic that this is possible with a well defined requirements around a token, let alone whether it would even be practical to execute.”

There are also concerns around the “chattiness” of the protocol, Goh says, but these relate to the fear of broken cryptographic keys, which would make any system vulnerable. Worries about collusion between issuers and RPs are addressed by existing legislation and privacy policies.

“Could it be misused?  It can be today without the standard,” he sums up.

Standard iteration continues

On the communication issue, Goh notes that WG10 has started using GitHub to increase transparency around its discussions.

And those discussions are ongoing.

“The matter of server retrieval has been discussed regularly, and there is strong support for removing it from 18013-5,” Goh writes. “Due process is now being followed to address this. This will no doubt make those lobbying for its removal very happy. However, not having it in the standard, does not mean third parties cannot implement it. They do today, and without a standard defining good practices around it, will mean legislation, regulation has to take the larger load of consumer protection.”

Zero-knowledge proofs could serve as a replacement for server retrieval, and this is being discussed, Goh says. But ZKPs are “still very dependent on the freshness of the data on the device.”

Ultimately, Goh hopes the backlash around server retrieval will not discourage standards committees from “tackling tough issues and practices already prevalent.”

ISO 18013 has wide global adoption, Goh says, “because after significant professional review (industry, commercial, security experts, regulators, issuing authorities et cetera) the standard provides end to end secure and privacy preserving capability, and server retrieval is a very small (not even mandatory) component of the standard.”

Article Topics

data privacy  |  digital ID  |  ISO 18013  |  mDL (mobile driver's license)  |  mDL privacy concerns  |  No Phone Home