ISO 18013-5: ISO/IEC 18013-5:2021

Definition

Technical Architecture and Data Model

ISO 18013-5 defines a complete technical architecture built around the mDoc (Mobile Document) format. At its core, the standard uses CBOR (Concise Binary Object Representation) for efficient data encoding, making it well-suited for constrained environments and proximity-based communication channels.

The data model organizes credential attributes into namespaces. The primary namespace for driving licenses is org.iso.18013.5.1, which contains standardized data elements including family name, given name, date of birth, issuing country, document number, driving privileges, and portrait image. Each attribute is individually signed using Mobile Security Object (MSO) technology, enabling selective disclosure where only requested attributes are shared with a verifier.

The MSO contains a set of digest values (hashes) for each data element. When presenting credentials, the wallet reveals only the requested data elements along with the MSO. The verifier can then check that the hash of each revealed element matches the corresponding digest in the issuer-signed MSO, confirming both integrity and authenticity without requiring the full credential.

Device authentication is handled through a device key pair generated within the secure element of the mobile device. This key is bound to the credential at issuance time, ensuring that only the authorized device can present the credential. The standard supports both ECDSA and EdDSA signature algorithms for this purpose.

Proximity Presentation Protocols

One of the most important aspects of ISO 18013-5 is its definition of proximity-based credential presentation, designed for in-person verification scenarios such as traffic stops, age verification at point-of-sale, or border control checks.

The presentation flow begins with device engagement, where the mDL holder and verifier establish a communication channel. This can happen through NFC tap, QR code scanning, or Bluetooth Low Energy (BLE) discovery. The device engagement message contains the session encryption key and transport-specific parameters.

Once the communication channel is established, the verifier sends a request specifying which data elements it needs. The wallet application displays these requested elements to the user for consent. After the user approves, the wallet constructs a response containing only the approved attributes, signs it with the device key, and transmits it to the verifier over the established secure channel.

The entire exchange is encrypted using session keys derived during device engagement, protecting against eavesdropping. Importantly, the protocol supports offline verification since the verifier only needs the issuing authority certificate chain to validate the credential signature, which can be pre-cached.

Role in the EUDI Wallet Ecosystem

The EU Digital Identity Wallet Architecture and Reference Framework (ARF) mandates ISO 18013-5 as one of two primary credential formats, alongside SD-JWT based verifiable credentials. While SD-JWT is used for a broad range of credential types, ISO 18013-5 mDoc format is specifically required for mobile driving licenses and has been extended to other high-assurance document types.

Under the eIDAS 2.0 regulation, all EU Member States must issue EUDI Wallets that support ISO 18013-5 for driver license credentials. This means that a German driver license issued as an mDL must be verifiable by a French police officer using standard ISO 18013-5 proximity protocols, ensuring true cross-border interoperability.

The EU reference implementation of the EUDI Wallet, maintained as open-source on GitHub, includes full ISO 18013-5 support for both Android and iOS platforms. National wallet implementations such as the German AusweisApp, French France Identite, and Dutch NL-wallet all build upon this standard for their driving license credential handling.

ISO 18013-5 vs. ISO 18013-7: Online Extensions

While ISO 18013-5 focuses on proximity-based (face-to-face) presentation, the companion standard ISO 18013-7 extends the mDL framework to online and remote presentation scenarios. This is critical for use cases like online age verification, remote KYC (Know Your Customer) processes, and digital government services.

ISO 18013-7 defines how mDL credentials can be presented using web-based protocols, specifically integrating with OpenID4VP (OpenID for Verifiable Presentations). This allows a user to present their driving license credential to a website or online service through their EUDI Wallet app, maintaining the same security guarantees as proximity presentation.

Together, ISO 18013-5 and ISO 18013-7 provide the complete technical foundation for mobile driving licenses in the EUDI Wallet ecosystem, covering both physical and digital interaction channels. The standards ensure that the same credential issued to a user works smoothly whether they are presenting it at a traffic stop via NFC or verifying their identity online through a browser-based flow.

Related Terms