The following is from the iso spec 18013-5
Part 5: Mobile driving licence (mDL) application
1 Scope The purpose of this document is to standardize interface specifications for the implementation of a driving licence in association with a mobile device (mDL). This document standardizes the interface between the mDL and mDL Reader, and the interface between the mDL Reader and the issuing authority infrastructure.
The standard also allow parties other than the issuing authority (e.g. other issuing authorities, or mDL Verifiers in other countries) to: a) use a machine to obtain the mDL data, b) tie the mDL to the mDL Holder, c) authenticate the origin of the mDL data, and d) verify the integrity of the mDL data.
The following items are out of scope for this document:
a) how user consent to share data is obtained
b) requirements on storage of mDL data and mdL private keys
So the two things ISO 18015 doesn't do are what i think Kantara should do:
a) how user consent to share data is obtained (and how consent receipts are provided)
b) requirements on storage of mDL data and mdL private keys
besides what we have set out to do for US Healthcare ONC:
1> create assurance criteria for mobile apps
2> provide an api to report on the state of assurance compliance of apps and/or developers.
3> (I think we included this, not sure) evaluate the test labs that provide the contents for item 2
So what about MDL - in particular what criteria must the mobile app have to protect user private data?
IMHO - The MDL app must be certified in the same way that an app should be certified that would be used to protect our private health information. I like what was in the slide deck sent out earlier. At least for the US and Canada we, the people, need some assurance that the app that holds our DL will honor our right to consent to release data from the mdl to only those sites that we trust to receive the data. App certification is the way to that and Kantara is the group to set the criteria for that.
The only thing I disliked about the slide deck was that it focused solely on drivers. In VA, for example, the DMV is required to provide identifier services for all of VA public health and welfare concerns as well. So this is not just a driver's license, this is a state/province ID for state services. Of course as the state/province may legislate.
This is the way that we can really assure that user privacy is honored.