Mobile Driver's License (mDL)

Internal structure of an ISO 18013-5.1 compliant mobile driver's license (mDL).

What is ISO 18013-5.1?

ISO 18013-5.1 is the international standard for mobile driver's licenses. It defines how identity credentials are structured, secured, and shared digitally using cryptographic signatures and selective disclosure.

High-Level Structure

{
  "version": "1.0",
  "documents": [
    {
      "docType": "org.iso.18013.5.1.mDL",
      "issuerSigned": { /* Data signed by the issuer */ },
      "deviceSigned": { /* Data signed by the device */ },
      "status": 0
    }
  ]
}

Component Breakdown

1. Document Metadata

Field	Description
`version`	mDL format version
`docType`	Document type identifier (org.iso.18013.5.1.mDL)
`status`	Document status (0 = valid)

2. Issuer Signed Data

The issuerSigned section contains credential data signed by the issuing authority (e.g., DMV):

{
  "nameSpaces": {
    "org.iso.18013.5.1": [
      // Array of CBOR-encoded data elements
    ]
  },
  "issuerAuth": [
    // COSE signature structure
  ]
}

Data Elements

Each element in the namespace array is CBOR-encoded and contains:

digestID: Unique identifier for this element
random: Cryptographic nonce for privacy
elementIdentifier: Field name (e.g., "first_name", "last_name")
elementValue: The actual data value

Standard mDL Fields:

Element Identifier	Description	Data Type
`first_name`	First name	String
`last_name`	Last name	String
`email_address`	Email address	String
`primary_residence_street`	Street address	String
`apt`	Apartment number	String
`city`	City	String
`state`	State code	String
`zip`	Zip code	String
`bank_routing`	Bank routing number	String
`bank_account`	Bank account number	String
`age_over_18`	Boolean age verification	Boolean

Issuer Authentication

The issuerAuth array contains the cryptographic proof:

COSE Header - Algorithm identifier
Certificate/Key - Issuer's public key or certificate chain
Digest Values - Hash of each data element for integrity
Signature - Digital signature over the entire structure

{
  "issuerAuth": [
    "A10134",                    // COSE signature algorithm
    { "33": "..." },             // Certificate or key data
    "D8185902B5A6...",          // Value digests
    "2220BF3FA4139..."          // Signature bytes
  ]
}

3. Device Signed Data

The deviceSigned section contains device-specific authentication:

{
  "nameSpaces": "A0",           // Additional device-attested data (often empty)
  "deviceAuth": {
    "deviceSignature": [
      "A10134",                 // COSE structure
      {},                       // Protected headers
      null,                     // Unprotected headers
      "019FC1BBFA5088..."       // Device signature
    ]
  }
}

This proves that the presentation came from the legitimate device holding the credential, preventing cloning attacks.

Security Features

Selective Disclosure

The mDL format allows sharing only specific fields. For example:

Age verification requests only need age_over_18
Address verification needs only city, state, zip
Banking transactions need only bank_routing and bank_account

Cryptographic Signatures

Two-layer signing:

Issuer Signature: Proves the credential was issued by a legitimate authority
Device Signature: Proves the credential is being presented by the authorized device

Privacy Protection

Random nonces prevent tracking across presentations
Digest-based integrity allows verification without revealing all data
Selective disclosure minimizes data exposure

Example: Full mDL Structure

{
  "version": "1.0",
  "documents": [
    {
      "docType": "org.iso.18013.5.1.mDL",
      "issuerSigned": {
        "nameSpaces": {
          "org.iso.18013.5.1": [
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')",
            "24(h'XXXX...')"
          ]
        },
        "issuerAuth": [
          "h'A10134'",
          {
            "33": "h'FFFFFFFFFFFFF...'"
          },
          "h'XXXXX...'",
          "h'XXXXX...'"
        ]
      },
      "deviceSigned": {
        "nameSpaces": "24(h'A0')",
        "deviceAuth": {
          "deviceSignature": [
            "h'A10134'",
            {},
            null,
            "h'XXXXXXXX...'"
          ]
        }
      },
      "status": 0
    }
  ]
}

Technical Notes

CBOR Encoding

Data elements use CBOR (Concise Binary Object Representation) for efficient encoding:

24(h'...') indicates CBOR tag 24 (encoded CBOR data item)
h'...' represents hexadecimal byte strings

COSE Signatures

COSE (CBOR Object Signing and Encryption) provides the cryptographic foundation:

Compact binary format
Support for multiple signature algorithms
Standardized header parameters

References

ISO/IEC 18013-5:2021 - Personal identification — ISO-compliance

What is ISO 18013-5.1?​

High-Level Structure​

Component Breakdown​

1. Document Metadata​

2. Issuer Signed Data​

Data Elements​

Issuer Authentication​

3. Device Signed Data​

Security Features​

Selective Disclosure​

Cryptographic Signatures​

Privacy Protection​

Example: Full mDL Structure​

Technical Notes​

CBOR Encoding​

COSE Signatures​

References​