The W3C Credentials Community Group

Meeting Transcriptions and Audio Recordings (2014-today)

Go Back

W3C CCG Weekly Teleconference

Transcript for 2023-12-12

Our Robot Overlords are scribing.
Harrison_Tang: Hello and welcome to this week's w3c ccg meeting.
Harrison_Tang: Double check if the transcriber works.
Harrison_Tang: Okay good so today we're very pleased to have Andrew Hughes to actually present and lead a discussion on the latest in the mdl mobile driver license standards but before we get to the manage and just want to quickly go through some and stuff first of all just wanted to have a quick reminder on the code of ethics and professional conduct just want to make sure that we hold a respectful conversations that we have always had actually so.
Harrison_Tang: that's okay.
Harrison_Tang: A quick note on the intellectual property anyone can participate in these calls however all substantive contributions to any ccg work items must be members of the ccg with for IPR agreement sign so if you have any questions in regards to that or if you have encounter issues joining ccg Community creating a w3c account just email any of the cultures here all right a quick call note these meetings are being.
Harrison_Tang: I guess.
Harrison_Tang: Choose right now give me a second.
Our Robot Overlords are scribing. Our Robot Overlords are scribing.
Harrison_Tang: Alright so I hope the previous segment gets got recorded but now it should work let me double-check.
Harrison_Tang: All right cool so as you can tell these meetings are being automatically recorded and automatically transcribed we will publish the meeting minutes in the next few days now we used to teach at 2q the speakers you can type in Q + to add yourself to the queue or q- to remove you can type in Cube question mark to see who is in the queue and then we also have an automatic video recording as well but right now we haven't had the.
Harrison_Tang: a chance to add those links into the.
Harrison_Tang: Automatic like email sent right to the meeting minutes so I'll do it manually in the weekly meeting agenda meetings that I've done right in the every week in the past year.
Harrison_Tang: Next just introductions and reintroductions if you're new to the community or you want to re-engage with the community please feel free to just mute and introduce yourself.
Benjamin Young: I have less of an introduction but I'm I'm Benjamin you and I work for digital bizarre I do have a pending PR the ads the video archive link to the emails that go out after this if someone would like to review it I'll paste it in chat.
Harrison_Tang: Thank you thank you Benjamin.
Harrison_Tang: All right any other introductions where we introductions.
Harrison_Tang: All right next any announcements or reminders.
Harrison_Tang: Sorry anyone else any other.
Kaliya Young: No no I have to do myself sorry I just wanted to share that we have a new Regional events page up on iiw site does to support.
Kaliya Young: Information about the regional events I don't know if it's been updated yet but the Africa event is actually shifted to prom being in early September it hasn't been updated on the website yet and hopefully will be in the next week or so we have the digital identity unconference Europe in June and will probably do we be doing the APAC digital identity I'm.
Kaliya Young: Warrants in late.
Kaliya Young: December next year and registration for Global iiw as it were in April is going to open before Christmas so if you're Keen to get an early bird ticket look out for our super early bird tickets look out for that that's all things.
Harrison_Tang: Well sounds good thanks Kalia any other announcements or reminders.
Harrison_Tang: A quick announcement I guess we did that last week but we'll has joined us as the the culture of the ccgs just just want to welcome in again and he will be helping out with a lot of stuff along with myself and Kimberly as well so just want to say a big thanks to a world for stepping up.
<will> Thx, happy to be involved :)
Harrison_Tang: Also a quick announcement so the next two weeks as customary we don't have a CG meeting on the December 19th and 26th will resume on January 2nd with presentation by Dimitri on credentials rendering so they'll be quite exciting and then we'll have exciting speaker line-up next year as well so please continue to hop on.
Harrison_Tang: and actually also.
Harrison_Tang: Invite your friends and acquaintances acquaintances to join us as well.
Harrison_Tang: Or any other announcements or reminders.
Harrison_Tang: Write any updates on the work items.
Harrison_Tang: Cool so that's jump to the main agenda So today we're very very glad to have Andrew Hughes who has been with the community for a long time and I would consider him as an expert in the iso mobile driver license standard very very glad to have him here to talk about what's new and what's the latest updates in the MTL standards so Andrew the floor is yours.
Andrew_Hughes_(FaceTec): Great thanks Harrison happy to be here it's been a while since I've eaten with the ccg good to see things are thriving here so quick introduction for those of you that don't know me I'm and refused obviously I've been in the identity management user Centric identity side.
Andrew_Hughes_(FaceTec): Do re mi.
Andrew_Hughes_(FaceTec): World for quite a while now probably started somewhere around 2007 and have tried to dive deep as much as I can into the new world of verifiable credentials decentralized since over the last four years I guess I was a tie-dye Mia and then paying identity two years each working on basically the mobile ID product and interfacing to the.
Andrew_Hughes_(FaceTec): For those products particularly with the iso mobile driver's license standards and I'd be giving an update to various groups really just a high-level sort of where we act for the iso mdl because it's not always obvious where the committee is at so I'm glad too glad to do this now for those of you that don't know I recently joined face tack.
Andrew_Hughes_(FaceTec): back in November.
Andrew_Hughes_(FaceTec): I decided that I would strike out and try to address the big unsolved problem with digital credentials which is The Binding of the human to the digital credential by which we generally mean Biometrics and Lyme disease action and that's what face Tech does so I'm I've joined a new set of iso committees.
Andrew_Hughes_(FaceTec): Which I hope is going to go well on Biometrics so with that enough of that now let's get into the these presentation so I'm happy to take questions at any time I'm not getting into any deep technical discussions on this but yeah looking forward to any questions or discussion as we go I'll let you guys manage the queue because I'm not watching the chat.
Andrew_Hughes_(FaceTec): Going to do a quick overview of what's happened up to now and then take a deeper dive into a 2013 7 which is mdl presentation over the Internet which is where the action is happening just want to put a couple of slides in here about ISO the International Organization for standardization I think that it's hard to grasp what I so is to the world it isn't just it standards.
Andrew_Hughes_(FaceTec): It is called the centers for us goods and services you can find all this material and I so dot org so over 75 years old and it's actually published over 25,000 International standards so the it part of iso is a tiny slice and all of it is in this joint technical committee one so back in 1987 the IEC the international electrotechnical.
Andrew_Hughes_(FaceTec): well whatever the see.
Andrew_Hughes_(FaceTec): Consortium maybe and I so discovered that they were doing a lot of overlap in the technology and information technology standards so they decided to create this joint technical committee and then put all of the ICT the information communication technology standards within JTC 1.
Andrew_Hughes_(FaceTec): I saw that most of you know is actually JTC 1 so all of our well-known standards like ISO 27000 series for information security 9,000 for Quality Management's 14,000 for environment Environmental Management actually no not 14,000 and I'm 9,000 sorry 27,000 JTC 1 also all of the mdl.
Andrew_Hughes_(FaceTec): 17 is in jts one.
Andrew_Hughes_(FaceTec): So long history it's a big organization when you look at it as a whole and you know it evolves from time to time as we might all notice okay so enough of that.
Andrew_Hughes_(FaceTec): So the mdl projects happened within JTC 1 subcommittee or SC 17.
Andrew_Hughes_(FaceTec): And very briefly.
Andrew_Hughes_(FaceTec): In one of the workers within the subcommittee there's a set of a project family for the project numbers 23 to 20 and the idea of these standards is to specify generic mobile Eid so to be clear these generic Eid specifications try to counter the ground you know.
Andrew_Hughes_(FaceTec): from data objects and.
Andrew_Hughes_(FaceTec): The issuing phase the operational phase which we know is presentation and lifecycle management we cover trust models and confidence levels so how can you be certain and how do you communicate communicate certainty over the security and Trust of devices and credentials are being communicated and more recently part 6 has started on how to determine.
Andrew_Hughes_(FaceTec): Venus of.
Andrew_Hughes_(FaceTec): Area which is what we call things like secure elements or The Enclave secure Enclave that sort of thing scarier is just a generic term for that well should I say about these there's these are building blocks really so a die so we have several different kinds of standards we have some that are more specification style where the requirements are specified.
Andrew_Hughes_(FaceTec): Unambiguously and in detail and you can determine conformance to those requirements directly we also have these kinds of Frameworks centers or building block standards like these ones what are all of the options are set out so you know for example in the operational phase we talk about presentation of a mobile drawer mobile Eid or MDOC over Bluetooth or over TCP IP in a.
Andrew_Hughes_(FaceTec): different ways or over n FC.
Andrew_Hughes_(FaceTec): And we require implementers to define a profile of the choices they have made coming out of the Frameworks because there's too many choices in the Frameworks by Design so the standards that you know you know of as ISO 18 2013 part 5 and soon hopefully 18.
Andrew_Hughes_(FaceTec): a 13-part.
Andrew_Hughes_(FaceTec): Those are actually profiles of mostly part to 3220 part 4 and 2/3 220 part 2 so that's where these going so the you'll see that I'm not sure there's much more to be sending this is I spoke about this one for a while many years.
Andrew_Hughes_(FaceTec): So the more the main mobile driver's license standard is aiso a 2013 part 5 I I went back to the project timeline site and I so just to get this image which is teeny tiny but you'll have the slides afterwards if you care to take a look all right so as a formal publication process there's.
Andrew_Hughes_(FaceTec): all kinds of reviews and.
Andrew_Hughes_(FaceTec): And registrations and and checks and that sort of thing these are all the official stages the first time that the committee tried to start the mobile driver's license back in 2015 didn't did not quite achieve launch so the standard that we have published today was actually approved in 2018 and that's where the the current work came from.
Andrew_Hughes_(FaceTec): It was published as an international standard in 2021 and as part of the iso maintenance process there's a mandatory periodic review five years there so in 2026 but in 2024 and 2025 the committee has to start considering what might happen in 2026 do we keep the standard as is.
Andrew_Hughes_(FaceTec): with no chance.
Andrew_Hughes_(FaceTec): To withdraw it do we start a revision that sort of thing so clearly things have changed in the sense 2021 and before so it would be some sort of changes I can't predict what those changes might be now a channel 13 5 as I've described in past and many of you know covers the data structures and data model of.
Andrew_Hughes_(FaceTec): a mobile driver's license.
Andrew_Hughes_(FaceTec): Some MDOC data structure the mobile document data structure and it primarily concerns over the are local radio transmission engagement and transmission of the of the data structure includes various security features include selective disclosure while selective release of information and indicates ways to sort of claim.
Andrew_Hughes_(FaceTec): Ames as opposed to.
Andrew_Hughes_(FaceTec): And there's also so-called server retrieval modes which were added because certain issuing authorities needed them for their scenarios but most people tend to view it as device over the year transmission of a mobile driver's license now if there is a point I want to make very clear about this whole family of.
Andrew_Hughes_(FaceTec): They're not generic driver's license and generic Eid standards these are designed for mobile devices and that's causing us lots of pain in the ice with committee which I'll get into our life would be so much easier if this was just on you know regular operating systems and regular devices there's a couple of other relevant 1813 projects related projects two parts.
Andrew_Hughes_(FaceTec): 6 is 10.
Andrew_Hughes_(FaceTec): If you want to test for Conformity and then there's also this technical specification specification under development for registration certificates for vehicles it turns out that every jurisdiction not only has a different way of doing driver's licenses they have wildly different concepts of what.
Andrew_Hughes_(FaceTec): a registrations.
Andrew_Hughes_(FaceTec): Forget supposed to represent so that's that's a bit of excitement in that one one of the things that we've been doing as a nice week committee or not as nice committee but as people that are involved in the isil work is running interoperability Testaments it was actually one happening last week I think adjacent to the in-person isil committee meetings in Paris I wasn't involved in that.
Andrew_Hughes_(FaceTec): one I've been stepping back a little bit.
Andrew_Hughes_(FaceTec): As I figure out how my new job role relates to the mobile driver's license world and work so I'm a little bit out of date on that but before then Spruce ID coordinated a fully remote interrupt ask for 18 2013 7 which is mgl over the internet you can see the test event results at.
Andrew_Hughes_(FaceTec): that you are.
Andrew_Hughes_(FaceTec): You'll have to slide decks afterwards but it was it was interesting a lot of I guess sort of the two-week testing window where reader servers were able to receive em dlls from mdl apps over the Internet through two different protocols and you know some stuff was discovered and the whole idea was to feed the information back into the draft standard.
Andrew_Hughes_(FaceTec): just to make sure that.
Andrew_Hughes_(FaceTec): Thing works as far as we can tell before publication.
Andrew_Hughes_(FaceTec): So let's get into 18 013 part 7 which I call m.d. all over the internet.
Andrew_Hughes_(FaceTec): So here's the text from the scope statement in the in the document so technically 18 2013 7 is about add-on functions that add onto what was defined in a 2013 7 but specifically the only out on function we added was presentation to a reader of the internet there were others that were hanging around in previous versions of the scope.
Andrew_Hughes_(FaceTec): but we discovered that.
Andrew_Hughes_(FaceTec): Day and there were too many things to work on simply with over the Internet so we've postponed some of the other things like holder binding as we know it connecting the humans the presentation that sort of thing that will come out in later editions in the 18 2013 series.
Andrew_Hughes_(FaceTec): So what's included the famous diagram which if you've been able to see this back its we're trying to carry this diagram through 8 2013 7 is concerned with interface to between the mdl app and the mdl reader in the language of our committee the reader is software that engages with an mdl app and does the transmission stuff.
Andrew_Hughes_(FaceTec): the mdl verify.
Andrew_Hughes_(FaceTec): Is the entity that operates a reader.
Andrew_Hughes_(FaceTec): In the relying party so I'm trying to stay with mdl and mdl reader as the entities that are interchanging so we don't have to deal with operational concerns the verifier or a holder and this is really about interface to that's engagement and transmission over the internet.
Andrew_Hughes_(FaceTec): Very crucially we are only dealing with same device this is where the reader website.
Andrew_Hughes_(FaceTec): Is rendered on a mobile device browser and the mdl itself and the app that manages it is present on the same device we are not doing cross-device we're not doing things like using a camera to scan a QR code on a laptop or whatever there are security concerns that are not easily addressed in the cross devices and Aereo so we decided to.
Andrew_Hughes_(FaceTec): to try to focus on something that we.
Andrew_Hughes_(FaceTec): Which is same device and late and wait for the cross-device scenarios in general to be fully more fully developed by the before we try to address cross-device there's enough to do with same device and we're working on.
Andrew_Hughes_(FaceTec): As I mentioned before there's two protocols to find an ATM 13-7 the MDOC device retrieval to a website Otherwise Known weirdly as the rest API and also a profile of open ID for verifying presentations so we have those two options within this Speck.
Andrew_Hughes_(FaceTec): But it's complicated nothing's easy.
Andrew_Hughes_(FaceTec): Secure channel is set up based on that engagement data.
Andrew_Hughes_(FaceTec): We do offer the possibility of transmitting the engagement data in any other way because it's not always pragmatic or practical for sensible to have the reader directly send engagement data to the app for example with the open a VP you know we can use server metadata published at well-known URLs to present engagement data does not have to come.
Andrew_Hughes_(FaceTec): Mission from the from the reader and there's many other considerations.
Andrew_Hughes_(FaceTec): Can I use the same title for the sign I think I might have done that so the things that carry over from part 5 really are the data structure and data elements models.
Andrew_Hughes_(FaceTec): Sorry I'm I think I might have a typo there I don't know why I said that means Haley's so the data structure and data elements come from part 5 and the ReUse and part 7 G DL the concept of interfaces and many of the security mechanisms that make sense for the OV over the Internet so mechanisms for session encryption some of the session management stuff that makes sense for TCP IP and HTTP and the various rules for.
Andrew_Hughes_(FaceTec): And I'm talking about that sort of thing the underlying intention is really to transport em DOC format mbl's over the Internet just like part 5 transports them over ble NFC and Wi-Fi where that's where we started.
Andrew_Hughes_(FaceTec): And you can think of it as mdl runs into the brick wall of the internet and we've had to readjust how how the committee thinks of ndls and transmission over the last couple of years as we were 20 to 30 parts done.
Andrew_Hughes_(FaceTec): Because mobile drivers mobile devices are different I'm embarrassed but not really embarrassed to say that it took me until maybe a year ago to really really comprehend that a mobile device is not a super small laptop because that's what I kind of thought it was before it is doesn't behave the same way there's lots of constraints there's lots of things you can't do on a mobile device for good reasons that you are.
Andrew_Hughes_(FaceTec): Laptop and it unfortunately causes basically bad assumptions if if you misconstrue what a mobile devices and how apps and Os is working mobile devices.
Andrew_Hughes_(FaceTec): are able to do on a Unix or Windows.
Andrew_Hughes_(FaceTec): It's hard it's hard to detect when somebody has incorrect assumptions about the operating environment until you come to very specific things like the ability for an app to have any visibility whatsoever into anything else about the device is running long.
Andrew_Hughes_(FaceTec): Apps can't know about other installed apps and many of the details about system resources are obscured or hidden or not available to a nap.
Andrew_Hughes_(FaceTec): And basically everything runs in a sandbox there's different kinds of sandbox has different functions are available in different kinds of sand boxes but the app doesn't know anything outside of attendance and what's offered through it which makes it kind of hard for one app to talk to another kind of bottom line.
Andrew_Hughes_(FaceTec): What did kind of resulted in is some challenges for the iso work group that really have come to a head in the last year things that we more or less most of us thought was reality about mobile devices and mobile apps turned out to be just bad assumptions so we've had to do some scrambling and the adjustment some rethinking about how some of the stuff was done and it spawned off some other group in.
Andrew_Hughes_(FaceTec): All these that is heavily related to to the iso work group work so some of them so you know one were handing off control from a website to an MDOC app we really need guarantees that the MDOC app has valid and correct origin information about where the request came from.
Andrew_Hughes_(FaceTec): We use this origin info to pass on to the reader so the reader can confirm that there hasn't been some sort of substitution misdirection.
Andrew_Hughes_(FaceTec): Availability of secured verified true origin info info just varies on different mobile browsers and different classes so we can't get guarantees that every single instance of an mdl cap will be able to know the origin of the request.
Andrew_Hughes_(FaceTec): which is probably.
Andrew_Hughes_(FaceTec): Because we would like to use that for detection of interception in this direction that sort of thing we've discovered that some of the typical methods that you would see out in the wild for invocation of a native app on a mobile device they just don't work for what we need to do with em Doc and I'm DLS so custom URL schemes or claimed urls.
Andrew_Hughes_(FaceTec): They're not incur entirely supported and then they just don't really work in a consistent way deterministic way a mobile devices they.
Andrew_Hughes_(FaceTec): More or less our hack by which a website can invoke its own app right so the LinkedIn website can make a deep link call which we often call it this deep link so the LinkedIn app takes over from the website so for user experience and user convenience.
Andrew_Hughes_(FaceTec): URL schemes and claimed URLs are not designed as far as I can tell and I've not been told otherwise they're not designed where a website operated by one entity wants to invoke an app supplied by somebody else you know it was not itself you might imagine this might happen if a let's say a e-commerce website
Andrew_Hughes_(FaceTec): let's say once.
Andrew_Hughes_(FaceTec): You asked for a mobile driver's license coming from the state of Utah.
Andrew_Hughes_(FaceTec): Well they're different vendors and the custom URL schemes and your own hem handlers operate in in in ways that make it hard for the relying party to determine a list to to specify which apps should be invoked or could be invoked and selected by the user.
Andrew_Hughes_(FaceTec): There's many write-ups about this which I can point you at if if you wish and probably do a she'll probably on a link in here for the real published document also now the challenge with the ISO worker and for all of us actually in the digital credentials world is somehow we're thinking that users can actually do what there's what we think they should do correctly all the time.
Andrew_Hughes_(FaceTec): in a world where there's.
Andrew_Hughes_(FaceTec): Unlimited number of credentials digital credentials and a large number of credential wallets it's just unrealistic now I don't really know what the solution is for that but these are some of the challenges for the for the ice workgroup that we're trying to figure out trying to work through.
Andrew_Hughes_(FaceTec): And of course there's no easy solutions otherwise we'd be done by now.
Andrew_Hughes_(FaceTec): We're we're negotiating internally fairly intensely for last six to nine months on how we can standardize mobile driver's licenses on mobile device mobile devices and communication to mdl.
Andrew_Hughes_(FaceTec): Verifiers over the internet in ways that don't you know torpedo our own intentions and in ways that are not harmful to individuals and institutions it the like like you mentioned the previous slide probably said too much about it but the way mobile devices work makes it.
Andrew_Hughes_(FaceTec): Forward that doesn't introduce really crummy ux or introduce security vulnerabilities that that we can predict and know of in advance is that would be bad to satirize those things so we're in deep discussion about how we're going to resolve this and how we're going to deal with it now I will point out that I believe that other groups are trying to do.
Andrew_Hughes_(FaceTec): digital credentials of various.
Andrew_Hughes_(FaceTec): Whatever's on mobile devices have the same problems must be solved it's not unique to the iso committee some groups are choosing to ignore it and let implementers do what they can some are trying to get to a place of safe secure non-harmful specification but there is no easy path on this one however there will be we hope.
Andrew_Hughes_(FaceTec): in the future.
Andrew_Hughes_(FaceTec): So some of you will be aware of the w3c web in the incubator community group The ycg they've started work actively working on this identity credential browser API previously known as the mobile document request API the idea is that it's the idea came from was proposed by members of the iso workgroup the iso committee.
Andrew_Hughes_(FaceTec): basically to Divine a mobile browser.
Andrew_Hughes_(FaceTec): That can be invoked to pass a grant request to the to a selection process processor router sort of thing so that the request can make it to the correct app whichever one that is the app can cause a credential to be selected presumably by the user in some Manner and then the credentials.
Andrew_Hughes_(FaceTec): glittered back either.
Andrew_Hughes_(FaceTec): CIA or through some other manner like directly.
Andrew_Hughes_(FaceTec): I forgot the URL anyways there there's the in the discussions are very interesting right now because you know we've got major browser and it was vendors participating very strongly is very encouraging so the Android Chrome and iOS folks and Microsoft's playing a deep role as well they're talking this through.
Andrew_Hughes_(FaceTec): and trying to discover.
Andrew_Hughes_(FaceTec): What's the minimum.
Andrew_Hughes_(FaceTec): What's the minimum thing that needs to be standardized but it's going to take awhile you know as all of you know formal publication of Standards takes years we're hopeful generally is a community that there can be some some interim covid available implementations available that can be used that will actually help solve some of the.
Andrew_Hughes_(FaceTec): teams in advance of.
Andrew_Hughes_(FaceTec): Patient of the standard one difficulty for the iso Committee of course is that we have no influence directly and no control over what is developed in w3c we can participate in that process we can make suggestions and requests what comes out of another standards body is up to the other standards body so we're giving as much guidance as we can and we're participating as individuals as much as we can to.
Andrew_Hughes_(FaceTec): Basically look out for the interests of the 1800 13-part 7 project so we hopefully will have it working sooner rather than later.
Andrew_Hughes_(FaceTec): And again you can't say this enough times there's seemingly an infinite amount of complexity if we consider the many wallets many credentials world where any app can be a store a storage place for a credential or credentials where a request may come in for data attributes from more than one credential for two full.
Andrew_Hughes_(FaceTec): all credentials or more.
Andrew_Hughes_(FaceTec): There there's no simple or simplistic way to address the many many ecosystem but at some point presumably the early implementations will come out dealing with single credentials and limited data sets so that these things can be used in the wild and then as time goes on with experience we can start addressing the many.
Andrew_Hughes_(FaceTec): Scenarios okay last line.
Andrew_Hughes_(FaceTec): So I'm not in Paris everyone else is discussing the latest round of proposals for a 2013 7 we're pushing as hard as hard as we were able to get to a ballot able draft that goes out to the National bodies national standards bodies it's part of the iso publication process and.
Andrew_Hughes_(FaceTec): I'm still wildly optimistic that we can publish in 2024 if we can get some agreement like this week and we'll let you go in but it might be in 2025 mostly the timeline is very fluid but 2024 is is.
Andrew_Hughes_(FaceTec): what we're hoping to do.
Andrew_Hughes_(FaceTec): Some of you may have heard about instant DHS doing a u.s. national cybersecurity Center of Excellence projects for mdl implementations I believe the call for interest has closed it was in Fall 2023 and they're working through all the applications and submissions to structures several proof-of-concept projects testing out different different aspects of mobile driver's license.
Andrew_Hughes_(FaceTec): And then you know once a 2013 part 7 is published we have more work to do is committee to deal with all the other stuff but one of the things that was removed from the scope is this person as credentials subjects binding or proving so you can expect that to be very high on the candidate list for what to work on next.
Andrew_Hughes_(FaceTec): And this is me so hopefully that was a reasonable view happy to take any questions any discussion from the group.
Adrian Gropper: So yes maybe related to your last statement can you I understanding the complexity and obvious complexity of what you're describing where do Biometrics fit in you sort of how is that impacting or not impacting the short-term stuff that you're talking about for 2024.
Andrew_Hughes_(FaceTec): So it's not impacting it's so Biometrics is not in the scope of standardization for a 2013 part 5 or part 7 the choice to use or not use Biometrics for let's say unlocking the device or unlocking the app or authorizing presentation of an mdl that usage is entirely up to an implementer to choose or.
Andrew_Hughes_(FaceTec): or to do it.
Andrew_Hughes_(FaceTec): And the extent to which the iso committee was considering signaling this holder binding aspect we were starting with basically a data structure to communicate that holder binding was achieved we were not looking to standardize Biometrics of any kind but.
Andrew_Hughes_(FaceTec): There it's not out of the realm of possibility that we might mention Biometrics down the road but it's something we don't need to standardize because a it's too big and covers too many other areas of work and we need we need to really focus on getting the driver's license over the Internet first and making sure that we've got cautionary notes no stimple matters implementation guidance.
Andrew_Hughes_(FaceTec): on how implementers.
Andrew_Hughes_(FaceTec): Securing these apps and presentations.
Harrison_Tang: Any other questions.
Andrew_Hughes_(FaceTec): Oh come on David Wade I know you got a question for me come on.
Andrew_Hughes_(FaceTec): Ask me about encryption keys.
Harrison_Tang: I could before David think of a question I do have a question on your earlier slides you mentioned that different states have different ideas on what driver license represent can you going a little bit deeper into that I found that interesting.
Andrew_Hughes_(FaceTec): Okay I'm not I'm not sure I had it in this presentation but yes certainly so.
Andrew_Hughes_(FaceTec): What is the driver's license so there's there's a sort of Quasi Phyllis philosophical question about if in the place you live there must be an identification document issued by a government Authority what shouldn't he should be something that is a national identification document a regional identification documents.
Andrew_Hughes_(FaceTec): a very.
Andrew_Hughes_(FaceTec): To scale identification document should it be a commonly held credential that stands in for a formal identification document and the answer of course all the questions is yes it depends so in in the US and I was to I've been talking with several of the driver over motor vehicle.
Andrew_Hughes_(FaceTec): Straighter driving driving license offices over the years and I was surprised to find that the opinion of what is a driver's license and how does it relate to an identical identification document.
Andrew_Hughes_(FaceTec): What is what is the opinion in the US and the opinion is any of the above so some states view it be the driver's license is a permit to drive.
Andrew_Hughes_(FaceTec): Some view it as an identification document issued by the state.
Andrew_Hughes_(FaceTec): Some view it as the combination of both.
Andrew_Hughes_(FaceTec): And that the nature of the multi-part document Concepts exist in other places as well so for example in Australia Austria roads they really consider the dryer the mdl mobile driver's license to be of the permit to drive flavor because they have a concept of identification documents for Australians.
Andrew_Hughes_(FaceTec): They're trying to be more National identification documents so driver's license is tend to be viewed as permits to drive so I have no answer I just have those little bits of information.
Harrison_Tang: So how does that change and impact the mdl how does this these different requirements like impact mdl like standards when you when you're trying to formulate them.
Andrew_Hughes_(FaceTec): So they they they don't I mean the they don't really so you know we the committee has you know a strong understanding the personal information that is present on a driver's license in the data model could be used for identification and often will be used for identification purposes it's sensitive it's not to be released or.
Andrew_Hughes_(FaceTec): a gated.
Andrew_Hughes_(FaceTec): It's needs protection in various ways and that's kind of being the guidance The Guiding concept at at implementation time when companies and organizations to build software how they represent the mdl will vary but that is specifically not controllable by a.
Andrew_Hughes_(FaceTec): Anders body.
Andrew_Hughes_(FaceTec): Let's talk about transmission protocols it's just not something that we can specify we can have guidance we can have the security privacy Annex we can have discussions but what a developer does with software is kind of entirely up to the developer we have no way to control what they do we hopefully we hope that are well informed they do things that are not harmful.
Adrian Gropper: So what can you say about calling home as it relates to the stuff you're primarily talking about you know the communication between the Oreo holder agents and verify our agents it is the iso process consider calling home absolutely a no no or is it part of what's under consideration or is it completely irrelevant.
Adrian Gropper: And out of scope.
Andrew_Hughes_(FaceTec): What do you mean by calling home.
Andrew_Hughes_(FaceTec): Because it means many things to everybody all right.
Andrew_Hughes_(FaceTec): The physical yeah yeah yeah.
Adrian Gropper: Well what I mean simply is you know when the cop pulls you over and ask for your driver's license takes it to the car and looks it up in whatever database they look this stuff up in right so when that's all I mean that's exactly what I mean same thing at a border crossing.
Andrew_Hughes_(FaceTec): Right so long law enforcement.
Andrew_Hughes_(FaceTec): Is authorized to do such things.
Andrew_Hughes_(FaceTec): The the whole concept of.
Andrew_Hughes_(FaceTec): A authorized agent looking you up in some database databases that is explicitly authorized activity.
Andrew_Hughes_(FaceTec): There is nothing in the iso standard that prohibit prohibits lawful use of whatever implementers create period.
Andrew_Hughes_(FaceTec): That's my opinion on calling home in the lawfully authorized situation.
Adrian Gropper: I guess I guess my question was is this something that the group actively tries to avoid in the unauthorized situations.
Andrew_Hughes_(FaceTec): In a 2013 5 and 8 2013 7 we've explicitly defined protocols that do not require the verifier or the the reader to connect with the issue.
Andrew_Hughes_(FaceTec): So there are options available that just do not require any sort of communication at transaction time between the reader and the issuer now.
Adrian Gropper: But how about intermediaries other than the issuer.
Andrew_Hughes_(FaceTec): We have no control over the Internet or infrastructure I mean we specify way ways especially in the well actually we do not require any live connection and transaction time between the reader and the issuer or their agents or intermediaries there are ways.
Andrew_Hughes_(FaceTec): With obviously with server retrieval you're doing a live record retrieval and some jurisdictions require that but.
Andrew_Hughes_(FaceTec): Most some number of implementations agree with the must be able to use it without having to confirm anything with the issuer directly at transaction time I'm trying to be careful with the language I'm using because I believe that the phrase calling home has lots of unintended meanings.
Adrian Gropper: Know your your answer was reasonably clear are you saying that the assumption is that there is no network other than whatever is being used locally between the holder and the reader.
Andrew_Hughes_(FaceTec): We don't make any assumptions on the iso committee for that that's entirely implementation-dependent what we do allow for 18 2013 5 for the local transmission over the air is completely disconnected from the internet usage right so the so-called offline use where the reader has no internet connectivity and the mobile device has no internet connectivity.
Andrew_Hughes_(FaceTec): and there are there are.
Andrew_Hughes_(FaceTec): That directly support that operation so that there's no possibility of calling home in that scenario now you know I my personal hope is that for the in-person presentation implementers you know hopefully would tend to use that mode but again it we can't control what implementers choose to do.
Harrison_Tang: Right now we have one one more question and Suzanne you're on the Queue sorry we're almost home.
Susan_Stroud: Yes very good I just wanted to kind of go back to the state conversation and understand you know and scenarios where a state may have extended the life of a valid license maybe six months past expiration this happened a lot during covid maybe not all states experienced this but your driver's license could indeed be expired for upwards of six months before it was considered expired and so as we think so much about credentials.
Susan_Stroud: and whether they're valid and whether or not they're.
Susan_Stroud: Their time frame.
Susan_Stroud: I'm just curious how these scenarios come up where states are other areas may need to extend the life of a particular credential due to an event that does not necessarily mean reissuing the credential.
Andrew_Hughes_(FaceTec): Yeah yeah so one of the things that is sort of embedded in the whole operational mode for drivers per M Knox and other credentials is this idea of refreshed so there are mechanisms that you could use to refresh.
Andrew_Hughes_(FaceTec): Driver's license without reissuing it where reissuance would mean the full on go to the drivers office do the picture do the dance all that stuff so there are mechanisms that permit refresh and driver's licenses now how each state and their implementers chose to do this thing of extension beyond the original date I have no direct knowledge.
Andrew_Hughes_(FaceTec): I think there's.
Andrew_Hughes_(FaceTec): There's a handful of companies actually have licenses in the field and really what we're talking about there is in the realm of changing the acceptance policy of verifiers so the organizations that operate readers they get they have the ultimate choice about what to accept and what to believe from the driver's license transaction so if we verify or says.
Andrew_Hughes_(FaceTec): that their local policy is the credential must not be expired.
Andrew_Hughes_(FaceTec): . fendall rejected it's a verifier says oh wait a minute.
Andrew_Hughes_(FaceTec): We will accept a an mdl that has been expired for six months because of the following reasons then they'll accept it but in the technical standard there's nothing that talks about any of that.
Harrison_Tang: Cool thanks well thank you Andrew we're at time but thank you for a great presentation and great discussion.
Harrison_Tang: I think this concludes that today's CG meeting again like next two weeks we'll be off we won't have a CG meetings for the next two weeks and will resume on Tuesday January 2nd.
Harrison_Tang: Might have a good one and happy holidays thanks.
Andrew_Hughes_(FaceTec): Thanks everyone bye.