15H/ MOBILE CREDENTIALS - wish lists, changes to standards org, how to help each other Hughes

From IIW

MOBILE CREDENTIALS - wish lists, changes to standards org, how to help each other

Session Convener: Andrew Hughes andrewhughes@pingidentity.com

Notes-taker(s): Andrew Hughes

Tags / links to resources / technology discussed, related to this session:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • The group brainstormed things that we want to request from other groups or organizations. There are some action items for follow up that each of us will pick up and tack back into our standards bodies.

  • Wish list – to device manufacturers
    • 3rd party vendors can implement all listed functions from 18013-5 spec – e.g. NFC engagement is not possible for 3rd party apps on iOS
    • Secure Area / Enclave access – functions and data access is limited
    • Access (read or create) to multiple biometric template profiles (e.g. apps can only see that a biometric check passed/failed) – this limits information needed for authorization/decisions by the app
      • E.g. apps have to add in-app authentication functions to get unique identification of human

  • Wish list – for operation systems
    • User choice of invoked wallet (e.g. Custom URL scheme / Universal links) – to support wallet choosers (this is a dubious request)
      • E.g. scan QR with native camera app – behavior is to send user to platform wallet

  • Wish list – for standards work groups
    • eCommerce presentment of mobile DL data
    • What are the requirements for this?
    • Liaison agreements
    • Active sharing of concepts and information
    • Individuals who can participate in WGs in different standards bodies
    • Regular Communication inwards/outwards
    • Awareness sessions / listening sessions
    • Common issuance/provisioning protocol standards that can handle any credential type
    • Consider abstracting the standards to accommodate non-platform software/hardware solutions
    • Recommended guidelines for hardware minimums – e.g. for different assurance levels
    • Open test suites & interoperability harnesses
    • Address terminal authentication – opens the user to risks if terminals cannot be authenticated (it is optional in 18013-5 today)
    • Could there be a “CBOR serialization” of VC?
    • Recognize existing well-exercised standards and technologies in own standards e.g. crypto suite selection, layering, etc.
    • Push generalizable topics to more-suitable standards WGs e.g. the mechanisms for crypto agility should be pushed to IETF; the concept of Secure Area should be exposed to the wider industry
    • Education sessions on implementation complexity and heavy lift of standards choices e.g. “Developers really don’t like working with CBOR” – so teach standards writers why this is true
    • Secure Area / key attestation formats are exploding – this needs standardization or coordination
    • Look into an ISO IWA workshop to jointly develop <something)
    • Support import/export operations e.g. move credential to another wallet
  • Wish list – for regulators/legislator
    • Harmonization of regulations across jurisdictional authorities
    • Avoid closing down usage / presentation purpose – e.g. limitation for DL usage only is not great
    • Citizen protections – robust recourse pathways
    • Budget allocation to support technical implementation and marketing and public perception
  • Wish list – for Industry
    • Standards for Measurement for enrollment mechanisms – degree of binding strength between person-DMV record
    • Kantara Initiative has an active WG “Privacy Enhancing Mobile Credentials” – defining requirements on Verifiers, Issuers and software vendors for protection of information