How does mDoc differ from SD-JWT as a credential format?

mDoc uses CBOR (binary) encoding and COSE signatures, while SD-JWT uses JSON encoding and JOSE/JWS signatures. mDoc was designed primarily for proximity (in-person) presentations via NFC and Bluetooth, making it more efficient for offline scenarios. SD-JWT was designed for web-based (remote) presentations. EUDI Wallets must support both formats: mDoc for driver licenses and proximity use cases, SD-JWT for remote online presentations. Both support selective disclosure of attributes.

What types of credentials use the mDoc format in EUDI Wallets?

The mDoc format is mandatory for mobile driving licenses (mDL) as defined in ISO 18013-5. It is also being extended to other document types through ISO 23220 (mobile eID) and ISO 18013-7 (online mDL verification). Within EUDI Wallets, mDoc is the primary format for credentials that may need offline verification: driver licenses, national ID cards (PID in mDoc format), vehicle registration documents, and other government-issued documents that may be checked in proximity scenarios like traffic stops.

Can mDoc credentials be verified without internet connectivity?

Yes, offline verification is a core design feature of mDoc. The credential contains the issuer's digital signature (using COSE) and the necessary certificate chain for verification. A verifier with pre-loaded issuer certificates can cryptographically verify an mDoc credential without any internet connection. The presentation protocol (ISO 18013-5 Part 8) uses NFC or Bluetooth Low Energy for direct device-to-device communication. The only limitation is that revocation status cannot be checked offline unless cached.

mDoc (Mobile Document) - EUDI Wallet Glossary

mDoc

technical

Full Name: Mobile Document

Definition

mDoc (Mobile Document) is a credential data format defined by the ISO 18013-5 standard, originally developed for mobile driving licenses (mDL) and subsequently extended to other identity documents. mDoc uses CBOR (Concise Binary Object Representation) for efficient binary encoding and COSE (CBOR Object Signing and Encryption) for cryptographic signatures. In the EUDI Wallet ecosystem, mDoc serves as one of the two mandatory credential formats alongside SD-JWT, with particular strength in proximity (in-person) presentation scenarios where compact binary encoding and offline verification capabilities are essential.

CBOR Encoding and Data Structure

Unlike JSON-based credential formats that use text encoding, mDoc uses CBOR -- a binary data serialization format standardized in RFC 8949. CBOR provides several advantages for mobile identity documents: it produces significantly smaller payloads than JSON (typically 30-50% smaller), it supports deterministic encoding (essential for consistent signature verification), and it has efficient parsing performance on resource-constrained devices.

An mDoc credential is structured as a set of namespaces, each containing data elements (attributes). The primary namespace for a mobile driving license is "org.iso.18013.5.1", containing elements like family_name, given_name, birth_date, document_number, and driving_privileges. For EUDI Wallet Person Identification Data (PID), the namespace "eu.europa.ec.eudi.pid.1" defines the core identity attributes.

Each data element within the mDoc is individually signed using an Issuer Signed Item structure, which includes a random salt, the element identifier, the element value, and a digest. This per-element signing is what enables selective disclosure -- the wallet can reveal specific attributes while keeping others hidden, because the verifier can confirm the signature over each individual element independently.

The Mobile Security Object (MSO) is the core cryptographic component of an mDoc, containing the issuer's signature over the digests of all data elements, the validity period of the credential, and the device key binding information. The MSO uses COSE_Sign1 for the issuer's signature, typically with ECDSA on the P-256 curve.

Proximity Presentation Protocol

mDoc was designed from the ground up for proximity (face-to-face) presentations, which is its primary advantage over web-oriented credential formats. The ISO 18013-5 presentation protocol defines a complete flow for device-to-device credential transfer using NFC for session establishment and Bluetooth Low Energy (BLE) or Wi-Fi Aware for data transfer.

The presentation flow begins with device engagement: the verifier's reader and the user's wallet establish a secure session, typically initiated by NFC tap or QR code scan. Both devices generate ephemeral key pairs and perform ECDH key agreement to establish a shared session encryption key. All subsequent data transfer is encrypted with this session key, preventing eavesdropping even on wireless channels.

The verifier sends a request specifying which data elements it needs (implementing least privilege). The wallet displays the requested attributes to the user for consent. Upon approval, the wallet constructs a response containing only the approved elements with their individual signatures, plus a device signature proving possession of the device-bound key. The verifier validates both the issuer signatures (proving authentic issuance) and the device signature (proving the presenter is the legitimate holder).

This entire flow can operate completely offline -- neither the wallet device nor the verifier's reader needs internet connectivity. This makes mDoc presentations ideal for scenarios like police traffic stops, airport border control, or age verification at venues where connectivity may be unreliable.

mDoc vs SD-JWT in the EUDI Wallet Ecosystem

The EUDI Wallet Architecture Reference Framework requires support for both mDoc and SD-JWT credential formats, recognizing that each has strengths for different use cases. mDoc excels in proximity presentations with its compact binary encoding, established proximity protocols, and mature offline verification capabilities. SD-JWT excels in remote (online) presentations with its alignment with existing web infrastructure, OAuth 2.0/OpenID Connect integration, and familiarity to web developers.

For driving licenses specifically, mDoc (as defined in ISO 18013-5) is the mandatory format. ISO 18013-7 extends this to online mDL verification, maintaining the mDoc data model while adding HTTP-based presentation mechanisms that complement the proximity protocols of Part 5. The OpenID4VP protocol supports presenting both mDoc and SD-JWT credentials in online flows.

In practice, many EUDI Wallet implementations issue the same credential in both formats simultaneously. A Person Identification Data (PID) credential might exist as both an mDoc (for proximity presentations at physical service points) and an SD-JWT (for online government service authentication). The wallet automatically selects the appropriate format based on the presentation context.

Related Terms

ISO 18013-5

The international standard defining the mDoc format

NFC

Near-field communication for mDoc proximity presentations

Official Documentation

Learn more about mDoc from official sources.

View Official Documentation →

What is mDoc?

mDoc: Mobile Document

mDoc

Definition

CBOR Encoding and Data Structure

Proximity Presentation Protocol

mDoc vs SD-JWT in the EUDI Wallet Ecosystem

Related Terms

ISO 18013-5

NFC

Official Documentation

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ ISO 18013-5

→ NFC

→ Offline Verification

Quellen

⚠️ Independent Information