The Mobile Driving License Spec with Andrew Hughes

Vittorio Bertocci: Buongiorno everybody and welcome. This is Identity, Unlocked and I'm your host Vittorio Bertocci. Identity, Unlocked is the podcast that discusses identity specs and trends from a developer perspective. Identity, Unlocked is powered by Auth0. In this episode, we discussed the mobile driving license, an ISO standard that has the potential to have a direct impact on the daily life of everyone. And to do that, I enlisted my old friend Andrew Hughes, director of Identity Standards and Pink Identity historical figure in the identity industry. Welcome Andrew.

Andrew Hughes: Thank you, Vittorio. I'm glad to be here.

Vittorio Bertocci: It's tradition of Identity, Unlocked that we started with a history of our guests and in particular, the trajectory that led you to your current position and your current interest in identity. So what's your story, Andrew?

Andrew Hughes: Well, it's goes back quite a while. I've been in this business in various roles for probably 15 years, as you may know, I live in Victoria, British Columbia, which is the capital of the province of British Columbia up in Canada. And there's lots of government offices here. So if you're an IT, you're probably consulting for government. Since 2000s, that's what I was doing. Consulting on information security policy and privacy policy for the CIO's office of the government of BC. And that's where identity comes to play. So in around 2007, I started noticing that these people in the CIO's office, we're starting to talk about this user- centric identity thing. I kept hearing about this infocard and how Microsoft was doing brilliant things with info card and how this guy Vittorio was at the center. No, sorry, that's my bio, not your bio. So in BC government, in the CIO's office, they were looking hard user- centric identity. And I started getting contracts in the citizen identity space, and I helped work to create the BC government Internet Identity Information Management Service that is still running today. It's different now, but it's as they're at the beginning. In 2013, I took a big leap forward into the deep ends to try to get ahead to the leading edge of the industry. Great new things were happening out there in standards and associations authentication was coming on and my clients could not jump to the leading edge because clients like to pay for real things. They don't want the thing that might happen in 20 years. They want the thing that happens now. So I jumped in the deep end. I just jumped in, started joining associations. Industry associations, started contributing to standard bodies and other places, and built a network of people. And that's what I've been doing continuously since then. I'm deeply involved in ISO for standards Kantara I was deeply involved in NIST in the US for IDESG. Internet identity world is, it's one of my favorite places to go to geek out for a week on identity topics. I participate in Decentral Identity Associations of various sorts and more I'm a delegate of standards Canada, to a couple of ISO subcommittees. One is working on the Core Identity Management Federation and Privacy Standards. And the other is working on mobile driver's license. And that's what we're here to talk about today. I work for ping identity and as a director of identity standards, which in our prerecording chat, it's becoming a real job. It's amazing. I see postings for directors of identity standards, which is a very, very new thing in the world. So I'm very excited here to talk about MDL and how it's going to change everyone's lives.

Vittorio Bertocci: Wonderful. Thank you so much for walking us through this incredible trajectory. It's clear that you have been in this space for a long while. So you have a huge repository of knowledge where everybody's skeletons are hidden. So I'm sure that as soon as we stop the recording button we'll start the interesting discussion but for the time being given that we are recording. Let's actually dive into today's topic, which is Mobile Driving License. So can we start by defining what is it really?

Andrew Hughes: So the Mobile Driving License is everything you expected to be, but it isn't that. What I mean is, the mobile driver's license, the MDL, is actually a growing family of standards at ISO, International Standardization Organization, for driving licenses like the real plastic official driving licenses that everyone has, but existing on mobile devices like your phone. The idea is that by conforming to these standards, it allows government issuers like departments of motor vehicles to provision an official driving license to a person's mobile device in app form. It's brand new in the world. This is astonishing. Now, if the local law laws and regulations are adjusted to recognize these electronic and digital driver's licenses, they become exactly the same as the plastic driver's license in electronic form. They're official because the law in some places says that they are, and we're expecting that to grow over time. The mobile driver's license standard is supported by several international associations of motor vehicle administrators with great global coverage and is pretty reasonable to believe that MDL will become a dominant structure and standardization vehicle used by government issuers around the world for driving licenses to begin with. And we'll see what happens in the future, but there's lots of potential. So today there are actual production deployments of mobile driver's license apps, issuance services, and reader apps and devices. At my previous company where I worked at IDEMIA, we were engaged with several state DMVs to deploy official ISO 18013- 5. We'll get to that number later MDLs. So they are actually out there and some used.

Vittorio Bertocci: I see. So let's pick one state, like what is one state that is already supporting it?

Andrew Hughes: So the state of Oklahoma, state of Tennessee is coming online. Florida is well on their way. I think they're close to go live. And several others there's many others in pilot. I honestly, I haven't kept track of them because there's too many to.

Vittorio Bertocci: No, it's good. We only need one. Let's say that we do Oklahoma. So say that I am a Oklahoma resident and I need to hop on the car to buy quick groceries. Does that mean that now if I forget my plastic driving license, but I have my phone always with me, of course. And I get stopped because I drive Italian style and the patrol person shows up and says," Show me your driving license," itcan just pull out my phone. And that will be enough?

Andrew Hughes: Not yet. There's a lot of infrastructure that goes into these licenses of any kind.

Vittorio Bertocci: Okay. I knew there was a caveat. When you said that it's supported.

Andrew Hughes: There's pilots and proofs of concepts out there for law enforcement. Law enforcement has a very specific set of needs around licensing. It's checking your registration details in their database. It's evaluation against certain lists that they may have and watch lists that sort of thing. We, as an industry have not quite figured out what the human experience is supposed to be with a mobile driver's license on a phone and a police officer, because we designed the standards so that you don't give your phone to the police. There's radio communications, NFC, and Bluetooth are defined in the standard so that you can tap your phone on their reader and transfer the data that's being requested because all the standards experts in the room at ISO, we fully understand that people have to be willing to use the driver's license and not be afraid of misuse because if misuse happens, there will be no adoption and security and privacy are top of mind when we're developing these standards.

Vittorio Bertocci: Fantastic. So just to try to double click on these, you mentioned app, but in this case you mentioned the data transfer. So if we actually look at the meat of those standards, what do they define? Do they define data format? Do they define messages, protocols? What's in the standard?

Andrew Hughes: Yes. To everything. Yeah. The family of standards is being developed over time. So the first one is ISO 18013 part five. And that's the one that everyone recognizes because it was just published in September, 2021. What it covers is the data structure, the data integrity mechanisms. So how signatures and hashes and keys and certificates are used to ensure the data is not being modified by anyone in transit. It covers mechanisms for secure session establishment, device engagement, a request response protocol, and a few data transports for QR codes, protocol, NFC, Bluetooth, and wifi ware. And also it's defined in a way that you can add additional data transport methods and additional signature methods that can be supported as technology evolves. So it's not a closed. This is everything that will be, there are extension points that we expect to use as the situation changes. You'll notice, I didn't say issuance 18013- 5 does not cover issuance because we had to start somewhere. So we thought we started with using, there are other standards in the family. I'm not going to give you the numbers because they're all just numbers, but they're covering how an issuer constructs data objects, exchanges keys with the mobile device, provisions it to the mobile device with secure hardware and secure areas. And other aspects of operational use of the driver's license. So life cycle management is not an 18013- 5, but it is in the family of standards that are being developed and trust levels and security levels and all that sort of stuff as well is coming soon.

Vittorio Bertocci: This is all PKI, right? Like there is no decentralized magic. And similar is like department driving license have certificates. They sign with my certificates and it's all traditional PKI, correct?

Andrew Hughes: It's definitely private public key pair cryptography. It's not the same PKI that people might be familiar with the browser lock. Right? So it's not universal with universally recognized root CAs, that sort of thing. But yeah, it's classical PKI in a limited domain.

Vittorio Bertocci: So there are no X 509s, are those RSA keys on their own?

Andrew Hughes: Sorry. They are X509 certificates associated with the keys. It's just that we point at Public Key Directories PKDs as opposed to root servers that can connect you to many branches in a traditional PKI. But other than that, it's the same PKI. But the funny thing is it kind of is decentralized, right? Because each driving management office and each jurisdiction is its own authority. They're not tied together. So yeah, sure. There's centralization around the issuer for sure. But the issuers don't have any obligation to each other.

Vittorio Bertocci: Isn't if they can like from a English language perspective, I think I understand what you're saying is just decentralized has been recently co opted like crypto to one particular meaning. But by your definition, you could say Shibboleth is decentralized as well, right?

Andrew Hughes: Yeah. Isn't it?

Vittorio Bertocci: It is. It's just that like for clarity, given that if you go on Google trends and you search for keywords, you'll see that there's a spike and some of those spikes actually bring his special meaning towards, so I just wanted to make sure that we just recorded with a Kristina and Oliver an episode on decentralized identity. So just wanted to make sure that the audience knows which flavor of decentralized we are talking about. And speaking of which, from a topology perspective, a lot of the things that you described are similar to the topologies we are used to. So openid connect, you mentioned the formats, so JWTs and similar. So how would you relate those new ISO standards versus openid connect, JWTs? How similar are they? What touch points, what possible synergies between those new standards and openid connect?

Andrew Hughes: So, interesting thing about a question is they're at slightly to different layers. So 18013- 5 covers really covers credentials. So mobile driver's license model mobile IDs, as a credential and then also it's transports. So at certain places openid connect is used for authentication. JWTs are used in certain transfer formats, right? But the idea is that the family of standards covers the life cycle of the credentials. So the issuance provisioning secure storage request response presentation, we are working at using the self issued openid provider, SIOP, as one of the transports that we're extending the standards with. And there's a bunch of us working on that now to try to make the mobile driver's license app, the wallet, if you will, a SIOP provider. So they fit together. They don't really replace each other, but it's, you can see that there's dependencies depending on which protocols you are using for transmission.

Vittorio Bertocci: That makes sense, which actually makes me want to clarify another aspect even further, because I'm not entirely clear on whether the driving license is an app or is a bunch of data. And the reason for which I say this is that I've read in the news, that iOS, which I am a proud user of just like today, when they ask me for proof of vaccination, I pull out my iPhone and the Washington state gave me a card that lives in my apple wallet. And I just show the card. So to me, the vaccination is just a credential. It's not an app like the app in my phone does this, but so is the driving license expecting to be its own app? Or do you expect the driving license to be something issued from the department of driving license that leaves inside one app, which is capable of showing it?

Andrew Hughes: In the initial builds the initial applications, the data and the app are really tightly bound. So the user interface, user interaction, the data itself, how you interact with other devices really comes from the app, but it is actually the data. The data is the credential is the data object and its signature as the maturity and capabilities of hardware and software wallets and credential holders rises. The data structure, which is the MDL credential is intended for placement in those storage locations, a general purpose wallet should be able to receive a MDL credential, store it and make that data available for presentation to a reader. So we're getting there and it's when I say app, that's just the early days of it right now. This is brand new!

Vittorio Bertocci: Of course. So just summarize today, early on, you own the experience end to end. And so the department of driving licenses of Oklahoma might give you an app and this app, first time you run it, we'll do whatever identification and you'll get your driving license. And then whenever you need to use it, you use that app. In a future in which you can be confident that, say the apple wallet or the Android credential manager are capable of doing the things that you expect those applications to do in order to use the Mobile Driving License. Then at that point, you'd be ready to leverage general purposes, wallets like these ones.

Andrew Hughes: Yeah, absolutely. And that's part of the standards that we're working on now is what does the issuer require of these wallets? Because if you imagine in the future world, anyone could walk up with any wallet and say," Give me my driver's license." Does the issuer have any say in the security features and capabilities of that wallet? Well, they should for the driving license and the way you do that today is you write an app, you test it, make sure that it has no vulnerabilities or few vulnerabilities in it, and that satisfies the issuer's needs. And that's probably why we're seeing them as apps first. And then eventually, while it's mature.

Vittorio Bertocci: I'm getting very strong WebAuth attestation vibes, like FIDO and friends deciding, "okay, this browser is capable of doing X" attestation process. Do you foresee an attestation process for apps and harware as well for Mobile Driving License?

Andrew Hughes: Yeah, it's very much in the thoughts of the work groups at some points, we imagine that there will be attestation. We're not sure what parts will actually be attestable, a mobile phone is a lot of things. Does the entire thing every single bit on your phone need attestation? Well, no, but what parts do and what are critical for the support of MDL and we're trying to narrow those down so that we can actually express it in the standard that you can test against. Now I've got to say there's a very interesting aspect to MDL. That to me is actually the most interesting part, the driver license stuff, the entitlement to drive that's all wonderful, but the concept of what an MDL represents in everyone's daily life, that's fascinating. Half the people in the room think of an MDL as entitlement to drive the issuers say you can drive. That's great. Yeah. It's got your name and photo on it. The other half of the room says, no, no, no. That's my identification card, right? It's a general purpose identification card. So one of the debates we're having in the industry right now, between various communities out there, decentralized, centralized, government, non- government industry and so on is what is this MDL thing supposed to be? What should you be able to do with it? And it's totally green field. No one knows, but the MDL has that dual nature. And if you've been in around the industry, you will recognize this dual nature problem. It is both the entitlement and it is also the identification and the identity. We're finally at a point where we have a government verified identification credential on the person's device, which means there's an opportunity to have an actual mobile identification credential that is under the control of the person. It's the true user- centricity. So imagine the day, and it's not that far away, where if you get your mobile driver's license on your mobile phone, you can selectively present to a relying party to a retail organization let's say, you can selectively present only your name and not your address or only your address and not your name or only age over 55 for the discount, right? Things like that. We've not been able to do this before because getting from the government issuance into a digital format, we've always had to do cludgy, take a picture of this driver's license and try to parse it and all that stuff, which isn't that reliable. Now, as MDL rolls out, we'll have a digital signed representation of that data. And if we're smart about how we integrate this new thing into the world, into the identity identification ecosystems, proof of identity, that sort of thing. We have an opportunity to unlock a whole new set of use cases. Now I'm certainly not advocating using government verified identification credentials for everything. Like they are in the UK, right? In the UK, they're doing age requirements to access certain kinds of websites-

Vittorio Bertocci: Well, you know Orwell is from UK, right? So they have to honor his memory.

Andrew Hughes: Yes. We don't want to have your mobile driver's license be the way you have to log into the internet before you can do anything. That's way too far. But how can we put the data attributes in the person's control so they can get the things they want to get done in real life? Just like your driver's license does for you today.

Vittorio Bertocci: Well, I have to say it's a very American thing, I 'd ike to say, because I can remember when I moved here in the States 15 and 16 years ago, it was like flabbergasted to realize that no one had identity cards. They only had the driving license. And I discovered that some people had driving licenses, which had a sign on there "This driving license does not entitle you to drive". they only had it for identification purposes. And 15 years later, my mind is still blown as I think about it. But you brought a lot of interesting points and I'd say also something scary for some of the people who listens, which is-

Andrew Hughes: Yes, absolutely.

Vittorio Bertocci: You basically predicted the demise of one entire branch of our industry, which is identity proofing. Today there are a lot of providers that offer that as a service, because exactly it's hard to do. And so they offer services so that you can do a stronger proofing, strong identification of your users. The moment in which every user, just by virtue of having being granted a driving license has the ability to give high confidence proof of their own identity. What's going to happen to all these companies?

Andrew Hughes: All I can say is you said it not me. So everyone out there is not my fault. It wasn't me. Well, no. I like to follow the trends and themes in identification identity my industry, right? And today, especially in the US, the data brokers identity verification services of different types offer a necessary service because that's what's grown up here. In the future, so those companies exist in other parts of the world that have national identification cards too. The critical aspect that will allow them to transform and survive is you should never rely on a single point of truth or trust. So, yeah, that's great that I've got this electronic thing that seems to be signed by an issuer. But if that's all you look at, when you're giving me that million dollar loan, your risk department should be going through the roof. The identity verification services do risk and fraud detection, impossible movement detection, the teleportation stuff. And there are getting into the advanced AI driven behavioral characteristics of real human presence. So they're not going away. Their business might shift, but this is a multi human generation shift. This is not happening tomorrow.

Vittorio Bertocci: Oh yeah.

Andrew Hughes: This is 10, 20 years. We'll start to see it. And then another 10, 20 years it'll become the way it's done. Because we have to shift all the human processes and all the human infrastructure.

Vittorio Bertocci: And very like the usual divide now with COVID we are seeing this a lot in which in Europe, like in Italy, whenever I go visit, you have to show your green pass everywhere and it's on the phone. And frankly, not everyone has a smartphone or not everyone is literate to use it in the way, which is so I agree that this is going to take a while, but actually here there is a clarification that I need from you. Whenever I will use my Mobile Driving License, like save it, I have it on my iOS wallet and I use it. Whenever I use it is the department of a driving license going to know that I'm using it? Or am I going to be able to use these and keep my spending habits completely private from the identity provider?

Andrew Hughes: The 18013 standard is designed so that the mobile driver's license does not have to call home for the data or for revocation even. I mean, there's implementation choices for sure. So there are modes where the verification software does call back to the issuer or the data itself. But the predominant mode that we're seeing is where the data is provisioned with signatures to the device itself. And the verifier does not call back home for anything. You know, it's got to do a revocation check for certificates, but those don't have to be housed at the issuer. They can be housed in a distributed ledger, for example, or downloaded to the verifier in bulk. There are many other topologies for that. So no, it is not a requirement to call home from my opinion, it's not an ideal design. If you make the credential call home because you can never go offline and these things are designed to go offline.

Vittorio Bertocci: Right. Okay, great. So that solves the privacy problem or at least mitigates, but then does that mean that if I am establishment, you come in and you do your presentation, can I then turn around and use that presentation and pretend with MU to a different establishment?

Andrew Hughes: No, because the data on the device is signed to the device's key that's on the device itself. So to present the data objects onwards, you would have to have the private key of the device, which obviously you do not get when the credentials presented to you as an establishment. So no, there's no onward forwarding. The signatures are set up so that the data is protected using the signature from the issuer. But the presentation, the transmission is protected by the keys of the device itself.

Vittorio Bertocci: And hopefully there is a way of tying it to otherwise with just-

Andrew Hughes: Provisioning times.

Vittorio Bertocci: Okay.

Andrew Hughes: Yeah. There is actually a mobile security object it's called that's where the linkages are. So that is the mechanism used to contain hashes of the data objects. It has the public keys of the issuer and the device. So using that object, you can actually verify that it came from that device and came from that issuer. Yes.

Vittorio Bertocci: Great, fantastic. That does sound very similar to what SIOP does and they do the little presentation. Yeah. That's very interesting. So do you think we'll never get to a moment in which we will not have plastic cards?

Andrew Hughes: Not in my lifetime. And you'll have to guess how old I am.

Vittorio Bertocci: We'll have to cut a finger and count the rings.

Andrew Hughes: Yes, exactly. The thing is that the usefulness, utility and convenience of digital formats will drive adoption. Once we get beyond the mobile driver's license credential and get into all kinds of entitlements and capabilities and certificates, kinds of credentials. I mean, that's one of the dreams of the identity world is, there's a whole sub domain about all about credentials and how getting them into a wallet. And Kim Cameron was a great advocate of this. The wallet will be the place where you put your cards, your digital cards. And when we get to that point, you could have either the electronic, the digital or the plastic. Now, if you're going hiking in the woods for three weeks, you might want to take your plastic with you because batteries run out eventually here, whatever you drop your phone. So there'd always be coexistence of some kind. If I could predict that future, I'd probably quit my job and do whatever that is. That's predicted because it's going to be a big business in it.

Vittorio Bertocci: Indeed. And speaking of taking actions, this has been incredibly interesting, but I don't want to abuse of your time. So considering where things are today, if you were to issue a call for action to our audience, what would you say you'd like people to do?

Andrew Hughes: So if you're in a standardization body that is working on things similar to credentials, issuance, storage presentation, thinking about how proofs should work in a connected and disconnected worlds, find out where the touch point is to the ISO committees. Everyone on the ISO work groups, the committees dealing with the mobile driver's license is doing outreach. Now we're finding all the communities that should be, or could be, or want to be interacting with mobile driver's license and talking about how that's going to happen. So watch for the outreach, it's happening now, this podcast is even part of it, right? That's the main thing. Now, as regular people out there, keep your mind open. Right? I do an airport departure lounge test with this. I'll just pull out my demo app and I'll say," Would you ever use one of these?" And half the people say," Yes," half the people say," No" and it's by age, right? So the younger people say," Yeah, I forget my wallet. I can take my phone." Right. And that's what we're seeing. So it's shifting through the generations. Now, if you're in the industry, I predict that identity verification in all its forms is the next big thing. Right? So multifactor authentication, we've seen the technologies spike and now it's all deployment and more efficiency, more user experience, identity verification is now the thing. So it's been growing for the last couple years, starting with formal identity proofing. But now when we've got these digital credentials, the rest of verification is coming online and we're seeing really interesting product announcements coming out every week. So if you're looking for an industry to go into, that's a pretty good one to look at.

Vittorio Bertocci: Fantastic. Great, great advice. Not investor advice, but still advice. So again, I want to thank you so much for taking the time to talk with me. This was super interesting and I believe differently from the usual esoteric standards that we talk about on the show. This really has a potential of touching so many lives. So touching directly so many lives. As in people, we know that that's what we are doing, then it's not like the other stuff that is not other one. The other stuff is buried in the stack.

Andrew Hughes: Vittorio you're about to get some very angry tweets tweeted at you.

Vittorio Bertocci: Well, well, well, well let's stop for the bell.

Andrew Hughes: All standards are incredibly interesting. They form the infrastructure of our digital world.

Vittorio Bertocci: Yes. And the fact that we have a podcast about them and that's surprisingly you wouldn't believe when we started this. I thought, well, it's going to be like 12 people. Maybe that will listen to this. And instead we have amazing numbers. So yay for standards. But anyway, thanks again for taking the time to come here and tell us about the Mobile Driving License. I predict that maybe next year we might want to come back and see where we are at because you are conservative as in it's going to take some time and similar. But I believe that the use case is so compelling that we might see actually maybe a more compressed timeline than you suggested.

Andrew Hughes: Yes, it's been a pleasure talking with you, Vittorio. And you, I don't know if people could tell, but I'm a little excited about this topic, so I'm happy to come back anytime.

Vittorio Bertocci: Wonderful. Thank you. And thanks everyone for tuning in until next time. Thanks everyone for listening. Subscribe to our podcast on your favorite app or @ identityunlocked. com until next time. I'm Vittorio Bertocci and this is Identity, Unlocked. Music for is podcast composed and performed by Marcelo Woloski. Identity, Unlocked is powered by Auth0.