Where can the W3C VCs meet the ISO 18013–5 mDL?
An open letter to the two standards communities as well as all interested parties
(If you are interested in hearing about and participating in the next phase of the project, please fill out this form.)
To all of you concerned with the matter,
Thanks to the sponsorship of Spruce and the support of many who are working on and/or following the W3C Verifiable Credentials (VCs) and ISO 18013–5 mDL, we have had the pleasure of conducting a community engagement project (Phase 1) in the past two months to find out where the two standards can meet. By “meet,” we mean finding common ground and alignment so that the two standards can be compatible to the fullest extent for the market to understand their respective unique values, for implementers to build on them with ease, and for users to manage credentials based on them with a good experience.
We started the project with some knowledge, but it was more from the W3C VCs side than the ISO 18013–5 mDL. With such awareness, we felt it important to put aside our own judgments of the situation at the time so that we could really engage with those experienced in both, particularly the ISO 18013–5 mDL, and keep our minds as open as possible to learn about mDL. We did so by starting the project with a community input session, reviewing relevant existing efforts, conducting one-on-one interviews, and most recently hosting a community feedback session at the Internet Identity Workshop.
Through these efforts, we now have enough confidence to put forward some thoughts and recommendations for your consideration.
The market is seeking clear, complete and easy-to-implement standards.
We started off the project comparing the two specific standards, W3C VCs Data Model and ISO 18013–5 mDL, but we quickly realized they were not equivalent. Their individual scope of concerns are very different and cannot be comparable on their own. We need to define their equivalence so we can work out how they can be or need to be aligned.
We think the most beneficial approach in defining the equivalence is taking a market-driven perspective, particularly that of potential implementers. Admittedly, divergent preferences exist among implementers. For example, governments highly value technical maturity and stability, while the private sectors are more willing to try new things and embrace the flexibility offered by a wider range of technical options. However, what all implementers want are clear, complete and easy-to-implement standards. This means if we expect the market to adopt a standards-based approach to digital credentials, we better provide standards that can guide the development of end-to-end solutions with the ability to be implemented with reasonable technical efforts by the majority of developers. Neither W3C VCs Data Model nor ISO 18013–5 mDL alone provides that entirety or clarity, making it necessary to set the definition of equivalence by including the suite of complementary standards. As a result, we should look at alignment between two different sets of standards, respectively centered around the W3C VCs Data Model and the ISO 18013–5 mDL.
There won’t be a one-size-fits-all standard set to digital credentialing.
It is hard to predict what the market for digital credentials will look like in its mature state, but we can almost be certain that no one standard set can magically solve all problems or is suitable for all use cases. A one-size-fits-all approach rarely works in general as many still aspire to this ideal for simplicity or ambition for market dominance. The divergent preferences among implementers in the current market have already spoken to the needs for different standard sets.
So, if we can comfortably agree that, by alignment, we are not seeking a one-size-fits-all standard set or eliminating one or the other, the matter comes down to how the two sets of standards can co-exist and interact/interoperate with each other while each is providing unique market value and distinct capabilities to solutions. Even more important is how we can start to provide clarity to the market and demonstrate meaningful efforts toward alignment.
The two sets of standards defined around the W3C VCs Data Model and the ISO 18013–5 mDL are designed for different purposes, with the former aiming to give broad expressive capacity to digital credentials for a variety of use cases and the latter addressing the particular use case of mobile driving licenses. We clearly learned through our project that there was recognition of the merits and drawbacks of each set of standards and market traction for both. The challenge is that implementers are having difficulties coherently implementing them because of the following main reasons:
- The incompatibility between the two sets of standards today makes it difficult to develop solutions that can reap the benefits of both.
- There is a lot of ambiguity on the W3C VCs side regarding what constitutes a clear, complete and easy-to-implement set of standards, as the W3C VCs Data Model presents various technical options and has evolving complimentary standards.
- There are structural barriers, particularly on the ISO side, for the two standards communities to work collaboratively throughout the standardization process.
We need to understand, recognize and respect the different standardization models.
The tension between the two sets of standards was not news to us as we have been deeply involved in the W3C VCs community. However, it was concerning for us to learn that the tension led to a general market impression that these two sets of standards were pitted against each other. If one standard selection is presented as an exclusive choice, this perspective will severely impact the momentum of both and limit the flexibility of solutions to incorporate capabilities based on the other standard set in the future.
Gladly, we also heard positive conversations — there seemed to be much common ground to establish. But in the meantime, we don’t see enough “political will” within the standards groups to build “diplomatic relations” with one another and explore that common ground. We think a key contributing factor to such lack of “political will” is the differences of how the two communities develop standards and how they are influenced by national and commercial interests. The differences are so fundamental that it seems neither possible, relevant nor worthwhile to consider any type of formal interactions.
The nature of the World Wide Web Consortium (W3C) made Verifiable Credentials an open Internet standard from day one, attracting many who support open standardization and believe that digital credentials should be open standards. The W3C VCs complimentary standards are also in development at the W3C or other open standards organizations, such as the Decentralized Identity Foundation, the Internet Engineering Task Force, and the Trust over IP Foundation. The ISO 18013–5 mDL and its complimentary standards, e.g. ISO 18013–7 and ISO 22320–3, are extensions of the standardization work of driver’s licenses that started in the early 2000s at ISO which followed the usual ISO processes. These processes took shape well before the internet existed and to many from the open standards world, are not as open or easy to engage in.
So, what are we supposed to do now that the two sets of standards are encountering each other in the market? We are talking about two development models that have been long-established to serve their own purposes and audiences relatively well. We believe a fair and reasonable ask here is for the two communities to understand, recognize and respect the differences in each other’s development processes and interests of stakeholders. This means acknowledging that neither community is likely to change their models for the purpose of this alignment nor may we have an engaging, collaborative process between the two as many would hope for. It is a necessary mentality shift that will lay a solid foundation for finding realistic and effective approaches to alignment. This will also have far-reaching implications on alignment of other digital credentialing standards, e.g. digital travel credentials (DTC), which are facing similar market challenges.
Key standard working groups at the W3C and ISO still have a critical role to play.
Our initial goal was to provide recommendations to the two standards groups, the W3C VCs Working Group and the ISO/IEC JTC 1/SC 17 WG 10, where the next generation of the W3C VCs Data Model and the ISO 18013–5 mDL are respectively being developed. However, the learnings and findings of the project suggest that there are limitations to what these working groups can do and how much of today’s challenges can be resolved through standardization alone.
That said, we do believe that the W3C VCs Working Group and the ISO/IEC JTC 1/SC 17 Working Groups (WG 4 & 10) have a critical role to play. Throughout the project, we keep hearing about the important role of the few (3–4) community leaders who work at the forefront of both sides. They have been critical in facilitating mutual understanding, initiating alignment efforts, and communicating (in their best capacity allowed) the progress of standard development to those unable to participate in or closely follow it themselves. We need more community leaders who understand both sides and can engage in and influence the development of both standards. The best way of doing that is to establish an official liaison between the two standards groups, the W3C VCs Working Group and the ISO/IEC JTC 1/SC 17 Working Groups, allowing more participation in the standard development from one to the other. The ISO Working Groups may also consider expanding liaison relationships to other key standard groups on the W3C VCs side as well as those working on existing protocols that can be leveraged by both sets of standards. These official relationships can also positively signal the market of the intentions for alignment.
Another clear opportunity to leverage is the timing. Currently, the W3C VCs Data Model v2.0 work just kicked off and the W3C VCs Working Group is open to suggestions and input that can help make the v2.0 more easily implementable and better meet real market needs. In the meantime, the ISO/IEC JTC 1/SC 17 WG10 is working on the next generation of mDL standard and the ISO 18013–7 to address remote presentation of mDL, and the ISO/IEC JTC 1/SC 17 WG4 is drafting the ISO 23220–3 to define the protocols and services for the mDL in the issuing phase. Timing couldn’t be better for the two sides to work out some of the key technical differences and have a more aligned path forward by having an official liaison and leveraging community leaders who are in both groups.
Rapid market-driven collaboration outside of formal standardization is needed.
Comparing the two sets of standards, there are gaps in each and existing differences between them in data model, credential format, signature scheme, issuing protocol, presentation exchange and trust model. While the standards communities are working in their own ways to address these, there has been a lack of assessment from a market-driven, implementers’ perspective, where these two sets of standards are evaluated against common scope, capabilities, operational practicalities, governance concerns, and solution features. We have touched upon some of those aspects in our project outputs, but not yet in a systematic manner.
With a more thorough understanding of the standardization progress and market situation today, we see the value of a market-driven (rather than standard/technology-driven) collaboration among implementers to rapidly address certain aspects of the alignment issue. Such collaboration will not only complement and inform formal standardization but also provide the much-needed market clarity today that standards groups may not be able to provide, given their limitations and the relatively longer time horizon for standard evolution. A good outcome and indication of a successful collaboration would include
- A comprehensive implementation-focused analysis of the two sets of standards that can lead to clear market positioning for each;
- A common architecture or design basis for the two;
- A set of defined use cases that leverage the capabilities of both;
- Open-source reference implementations that address the use cases.
Some had the impression that we were forming a “new working group” when we started the project. It was not clear to us then that a new group was needed, but now may be the time as we are not aware of any existing group working on this market-driven aspect of the matter, or anywhere such strategic, market-driven collaborations of standards implementations are well cultivated.
(If you are interested in participating in such a collaboration, please fill out this form.)
It is time that we work together to conquer the real market threat.
Lastly and most importantly, we want to highlight a long-time observation — while those of us deeply involved in standard development see each other as competitors, the market is being captured by implementers creating their proprietary solutions that cannot evolve to align with standards and will fail to achieve anything long-term. The lack of settled standards and the lack of clarity of how different standards align increase the risk that proprietary solutions are adopted as they are seen to be an easier decision: worsening everyone’s future prospects except the proprietary providers’.
The only way to get more people on track implementing real standards is for the people committed to standard-based implementations to find ways of alignment and showcase a clear path to coherently implementing standards.
With that, we thank all of you for your attention. We hope that we have shared findings and thoughts that shed light on today’s situation and can help the two sets of standards and communities move forward in more alignment. And we look forward to working further together with you in providing clear, complete and easy-to-implement standards to the market.
Lucy Yang & Kaliya Young
- We want to give a shoutout to our friends at Sezoo, John Phillips and Jo Spencer, who provided extensive feedback on the draft of the letter and helped us shape the final narratives.
- For anyone who support our letter and recommendations, we would love to know who you are and welcome any comments you have here.