Trust in ISO mDL: VICALs and IACAs
The ISO/IEC 18013-5 standard for mobile driver's licenses (mDLs) defines a comprehensive trust infrastructure that enables secure, cross-jurisdictional verification of digital credentials. At the heart of this infrastructure are Verified Issuer Certificate Authority Lists (VICALs) and Issuing Authority Certificate Authorities (IACAs).
The Challenge of Distributed Trust
In digital identity ecosystems where multiple authorities independently issue credentials, establishing trust becomes complex. Consider a scenario where:
- Each state or province operates its own driver's license issuing authority
- Each authority maintains its own certificate infrastructure
- Verifiers (law enforcement, businesses, service providers) need to validate credentials from any jurisdiction
Without a centralized trust mechanism, verifiers would need to establish and maintain individual trust relationships with every issuing authority—an approach that doesn't scale.
Issuing Authority Certificate Authority (IACA)
An IACA is the root X.509 certificate operated by an issuing authority for mobile documents. It forms the foundation of the trust chain for mDL credentials.
IACA Characteristics
| Property | Description |
|---|---|
| Validity Period | Up to 20 years |
| Certificate Type | Self-signed X.509 |
| Purpose | Signs Document Signer Certificates (DSCs) |
| Verification | Verified against its own public key |
Trust Chain Structure
┌─────────────────────────────────────────────────────────────────┐
│ IACA (Root Certificate) │
│ Validity: Up to 20 years │
└─────────────────────────────────────────────────────────────────┘
│
│ Signs
▼
┌─────────────────────────────────────────────────────────────────┐
│ Document Signer Certificate (DSC) │
│ Validity: Shorter than IACA │
└─────────────────────────────────────────────────────────────────┘
│
│ Signs
▼
┌─────────────────────────────────────────────────────────────────┐
│ Mobile Security Object (MSO) │
│ Embedded in mDoc credential │
└─────────────────────────────────────────────────────────────────┘
When verifying an mDL, the verifier must:
- Extract the Mobile Security Object (MSO) from the mDoc
- Verify the MSO signature against the Document Signer Certificate
- Verify the DSC signature against the IACA
- Confirm the IACA is trusted (via VICAL or direct trust)
Verified Issuer Certificate Authority List (VICAL)
A VICAL is a cryptographically signed, authoritative list of trusted IACAs that consolidates trust relationships into a single, manageable artifact.
How VICAL Works
┌─────────────────────────────────────────────────────────────────┐
│ VICAL Provider │
│ (Trust Anchor) │
└─────────────────────────────────────────────────────────────────┘
│
│ Cryptographically signs
▼
┌─────────────────────────────────────────────────────────────────┐
│ VICAL │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ IACA Entry │ │ IACA Entry │ │ IACA Entry │ ... │
│ │ (State A) │ │ (State B) │ │ (State C) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
│ Distributed to
▼
┌─────────────────────────────────────────────────────────────────┐
│ Relying Parties │
│ (Law enforcement, businesses, services) │
└─────────────────────────────────────────────────────────────────┘
VICAL Process Flow
| Step | Description |
|---|---|
| Collection | VICAL provider gathers public keys and metadata from recognized IACAs |
| Validation | Each IACA is validated and linked to specific credential types |
| Signing | The complete list is digitally signed by the VICAL provider |
| Distribution | Verifiers retrieve the signed VICAL via download or API |
| Verification | Verifiers check credentials against the VICAL |
VICAL Technical Structure
VICALs use a signed, machine-readable format as defined in ISO/IEC 18013-5:
VICAL Structure (COSE_Sign):
├── Protected Header
│ └── Algorithm identifier
├── Unprotected Header
│ └── X.509 certificate chain
├── Payload
│ ├── Version identifier
│ ├── Provider name
│ ├── Issuance timestamp
│ ├── Expiration timestamp
│ ├── List identifier
│ └── IACA Records[]
│ ├── Issuer information
│ ├── Credential type(s) (docType)
│ ├── IACA public key
│ ├── Validity periods
│ └── Digital signatures
└── Signature
Reader Authentication
ISO 18013-5 also defines mechanisms for authenticating verifiers (readers) to wallets, ensuring that sensitive credential data is only shared with legitimate parties.
Reader Authentication Certificate
When a verifier requests credential data, they can provide a reader authentication certificate that proves their identity to the wallet. This enables:
- Selective Disclosure – Wallets can make informed decisions about what data to share
- Audit Trails – Credential holders can see who requested their data
- Access Control – Issuers can restrict which verifiers can access certain data elements
ReaderAuth Structure
The ReaderAuth mechanism defined in ISO/IEC 18013-5 Section 9.1.4 includes:
- Reader certificate (attached via
x5chainheader per RFC 9360) - Cryptographic signature proving possession of the private key
- Session transcript binding to prevent replay attacks
Regional Implementations
North America: AAMVA Digital Trust Service
The American Association of Motor Vehicle Administrators (AAMVA) operates the mDL Digital Trust Service (DTS) for North America:
| Component | Description |
|---|---|
| VICAL | Maintained list of all state-level IACAs |
| Access | Free download for relying parties |
| Updates | Regular refresh with versioning |
| Compliance | Adheres to ISO 18013-5 and AAMVA Implementation Guidelines |
Australia: Austroads
Austroads coordinates the VICAL for Australian digital credentials, enabling cross-state verification of mobile driver's licenses.
Alternative Approaches
Some regions have adopted different trust models:
- New Zealand – No centralized VICAL; exploring alternative frameworks
- South Korea – Blockchain-based trust management for mDLs
- European Union – EUDI Wallet ecosystem uses EU Trust Lists (ETSI-based)
Benefits of VICAL-Based Trust
For Verifiers
- Simplified Integration – Single trust relationship with VICAL provider
- Cross-Jurisdictional Support – Verify credentials from any participating issuer
- Automatic Updates – Trust changes propagate through VICAL refresh
For Issuing Authorities
- Standardized Onboarding – Clear process for VICAL inclusion
- Broad Acceptance – Credentials recognized by all VICAL-trusting verifiers
- Key Rotation Support – VICAL versioning handles certificate updates
For Credential Holders
- Wider Acceptance – mDL works across jurisdictions
- Privacy Protection – Reader authentication enables informed consent
- Interoperability – Standard format ensures compatibility
Comparison with Other Trust Models
| Aspect | VICAL (ISO 18013-5) | EU Trust Lists | OpenID Federation |
|---|---|---|---|
| Format | CBOR/COSE | XML (ETSI) | JSON/JWT |
| Scope | Regional (mDL) | EU-wide | Global |
| Update Model | Versioned refresh | Periodic publication | Dynamic metadata |
| Primary Use | Mobile documents | Digital identity | Federated identity |
Implementation Considerations
For Verifier Applications
- VICAL Caching – Cache the VICAL locally with appropriate refresh intervals
- Offline Support – Ensure verification works without network connectivity
- Version Management – Handle VICAL updates gracefully
- Certificate Validation – Implement full chain validation including revocation checks
For Issuing Authorities
- IACA Management – Plan for certificate lifecycle (20-year validity)
- DSC Rotation – Implement regular Document Signer Certificate rotation
- VICAL Participation – Coordinate with regional VICAL providers
- Compliance – Adhere to ISO 18013-5 and regional implementation guidelines
Further Reading
- ISO/IEC 18013-5:2021 – Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application
- AAMVA mDL Digital Trust Service
- AAMVA VICAL Download
- ISO/IEC 18013-7 – Mobile driving licence (mDL) add-on functions