ISO/IEC 23220-1:2023

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
23220-1
ISO/IEC JTC 1/SC 17
Cards and security devices for
Secretariat: BSI
personal identification — Building
Voting begins on:
2022-11-02 blocks for identity management via
mobile devices —
Voting terminates on:
2022-12-28
Part 1:
Generic system architectures of
mobile eID systems
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 23220-1:2022(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2022

---------------------- Page: 1 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
23220-1
ISO/IEC JTC 1/SC 17
Cards and security devices for
Secretariat: BSI
personal identification — Building
Voting begins on:
blocks for identity management via
mobile devices —
Voting terminates on:
Part 1:
Generic system architectures of
mobile eID systems
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/IEC FDIS 23220­1:2022(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
ii
  © ISO/IEC 2022 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2022

---------------------- Page: 2 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 6
5 Design and privacy principles of mobile document systems . 7
5.1 Design principles . 7
5.2 Privacy and security principles . 8
5.2.1 General . 8
5.2.2 Data minimization . 8
5.2.3 Consent and choice: . 8
5.2.4 Accuracy and quality . 8
5.2.5 Information security . . 9
6 General life-cycle phases and components of mobile document systems .9
6.1 Life-cycle phases of mobile document systems . 9
6.2 Components of a mobile document system . 10
6.2.1 Operational modes of components . . 10
6.2.2 Components of mobile document systems . 11
7 Generic system architectures of mobile document systems in installation phase .13
8 Generic system architectures of mobile document systems in issuing phase .15
8.1 Source of user attributes .15
8.2 Generic sub­phases of issuing phase. 15
8.3 System architectures in sub-phases user identification and mID-discovery . 16
8.4 Architectures in sub­phase issuance . 18
8.5 Monitoring service in issuing phase . 20
9 On-site identification system architecture in operational phase .21
9.1 General sub-phases of on-site identification system architecture . 21
9.2 On-site identification system architecture with local attribute storage . 21
9.3 On-site identification system architecture with remote attribute storage .22
10 Remote identification system architecture in operational phase .23
10.1 General .23
10.2 Remote identification system architecture with local attribute storage .23
10.3 Remote identification system architecture with remote attribute storage .25
Annex A (informative) Examples of deployment options for issuers in issuing phase .28
Annex B (informative) Examples of deployment options in installation phase .35
Annex C (informative) Examples of holder enrolment .39
Annex D (informative) Examples of additional physical factor(s) of authentication .43
Bibliography .47
iii
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non­governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding­standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and security devices for personal identification.
A list of all parts in the ISO/IEC 23220 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national­committees.
iv
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
Introduction
Electronic ID-Applications (eID-Apps) are commonly used in badges and ID-Cards with integrated
circuits and allow users to complete electronic identification, authentication or optionally to create
digital signatures. Many different application areas have an essential need for these mechanisms
and use different means to provide these features (e.g. health system with health assurance cards or
health professional cards, financial sector with payment cards, government ID with national ID cards,
electronic passports or driver's licenses, educational systems with student cards or library cards, in
the company sector with employee cards and in the personal sector with member cards).
Mobile devices (e.g. mobile phones or smart phones, wearable devices) are a central part of the daily life
for many individuals. They are not only used for communication, but also for emailing, access to social
media, gaming, shopping, banking, and storing private content such as photos, videos and music. They
are used today as a personal device for business and private applications. With the ubiquity of mobile
devices in day-to-day activities there is a strong demand from users to have eID-Apps or services with
identification/authentication mechanisms on their mobile equipment, i.e. an mdoc app.
An mdoc app can be deployed to provide a number of different digital ID-documents. Additionally, it can
reside among other eID­Apps on a mobile device. Moreover, users can possess more than one mobile
device holding an mdoc app, which leads to enhanced mechanisms for the management of credentials
and attributes.
The technical preconditions for the deployment of mdoc apps exist and they are partly standardized
to support security and privacy on a mobile device. Examples for containers of eID-App solutions are
the software-based Trusted Execution Environment (TEE), hardware-based secure elements such as
universal integrated circuit card (UICC), embedded or integrated UICC (eUICC or iUICC), embedded
secure elements, secure memory cards with cryptographic module [17] or other dedicated internal
security devices residing on the mobile device, as well as solutions with server-based security means.
As mdoc apps can be located on different forms of mobile devices featuring different security means,
they must be as generic as possible to be adoptable to different variants of trusted eID-Management.
This diversity leads also to different levels of security, trust and assurance. Trusted eID-Management
thereby implies the (remote) administration and use of one or several security elements (e.g. in form of
an intelligent network), credentials and user attributes with different levels of security suitable to their
capability and power.
Access to the mdoc app by the external world must be performed by the available transmission channels.
Typical local communication channels are Bluetooth Low Energy (BLE), Near Field Communication
(NFC), Wi-Fi aware, whereas remote communication is typically an internet connection over mobile
networks and Wi-Fi networks. The way of identification and choice of the transmission interface and
protocols is an essential part for a trusted eID­Management.
Those mdoc apps are used in different areas of daily life and are the focus of different standardization
activities. This document aims at delivering mechanisms and protocols usable by other standards to
provide interoperability and interchangeability. With these basics in mind, future mdoc apps can be
derived and may extend the ISO/IEC 23220 series.
The ISO/IEC 23220 series builds upon existing standards comprising four main features:
a) secure channel establishment;
b) API call serialization method;
c) data element naming convention;
d) payload transport over communication channel protocols, which are constitutive of the
interoperability pillars.
v
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
In addition, it adds means to establish Trust on First Use (TOFU).
NOTE The ISO/IEC 23220 series inherits and enhances the functionality that was adopted by mobile driving
licence applications whereby ensuring backward compatibility with ISO/IEC 18013-5.
Other parts in the ISO/IEC 23220 series specify the following:
1)
— generic data formats (see ISO/IEC TS 23220­2);
2)
— protocols and services for issuing phase (see ISO/IEC TS 23220­3);
3)
— protocols and services for operational phase (see ISO/IEC TS 23220­4) ;
4)
— trust models and confidence levels (see ISO/IEC TS 23220-5) ;
5)
— mechanism for use of certification on trustworthiness of secure area (see ISO/IEC TS 23220-6).
1) Under preparation. Stage at time of publication: ISO/IEC AWI TS 23220­2.
2) Under preparation. Stage at time of publication: ISO/IEC AWI TS 23220­3.
3) Under preparation. Stage at time of publication: ISO/IEC AWI TS 23220­4.
4) Under preparation. Stage at time of publication: ISO/IEC AWI TS 23220­5.
5) Under preparation. Stage at time of publication: ISO/IEC AWI TS 23220­6.
vi
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 6 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 23220-1:2022(E)
Cards and security devices for personal identification —
Building blocks for identity management via mobile
devices —
Part 1:
Generic system architectures of mobile eID systems
1 Scope
This document specifies generic system architectures and generic life-cycle phases of mobile eID
systems in terms of building blocks for mobile eID system infrastructures. It standardizes interfaces
and services for mdoc apps and mobile verification applications.
It is applicable to entities involved in specifying, architecting, designing, testing, maintaining,
administering and operating a mobile eID system in parts or entirely.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
attribute
user attribute
characteristic or property of an entity (3.6)
EXAMPLE An entity type, address information, telephone number, a privilege, a MAC address, a domain
name are possible attributes
[SOURCE: ISO/IEC 24760-1:2019, 3.1.3]
3.2
attribute statement
attribute describing a statement or assertion about user attributes (3.1) comprising predicates over
attributes
[SOURCE: ISO/IEC 19286:2018, 3.6, modified — Added "attribute describing a" at the beginning of the
definition and removed EXAMPLE.]
3.3
authentication
provision of assurance in the identity (3.10) of an entity (3.6)
[SOURCE: ISO/IEC 29115:2013, 3.2]
1
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
3.4
authentication protocol
defined sequence of messages between an entity (3.6) and a verifier (3.40) that enables the verifier to
perform authentication (3.3) of an entity
[SOURCE: ISO/IEC 29115:2013, 3.4]
3.5
credential
set of data presented as evidence of a claimed or asserted identity (3.10) and/or entitlements
Note 1 to entry: According to ISO/IEC 29115 an assertion is considered a stronger statement than a claim.
EXAMPLE A user attribute signed by the issuer as proof of authenticity is a credential that can be verified by
the verifier by validating the electronic signature.
[SOURCE: ISO/IEC 29115:20133.8, modified — Replaced Note 1 to entry with new Note 1 to entry.
EXAMPLE was added.]
3.6
entity
item relevant for the purpose of operation of a domain that has recognizably distinct existence
Note 1 to entry: An entity can have a physical or a logical embodiment.
EXAMPLE A person, an organization, a device, a group of such items, a human subscriber to a telecom
service, a SIM card, a passport, a network interface card, a software application, a service or a website.
[SOURCE: ISO/IEC 24760-1:2019, 3.1.1]
3.7
holder
entity (3.6), i.e. natural person, who holds the mdoc app (3.19) and uses it to perform user identification
(3.8) towards a verification application (3.39)
3.8
identification
user identification
process of distinguishing an entity (3.6) within a given context by the unique association of a set of
descriptive parameters
EXAMPLE User attributes are descriptive parameters of the entity 'holder'.
[SOURCE: ISO/IEC 19286:2018, 3.15, modified — Added "of the entity 'holder'" to the EXAMPLE.]
3.9
identifier
data which identifies an entity (3.6) in a given context towards another entity
[SOURCE: ISO/IEC 19286:2018, 3.16]
3.10
identity
set of attributes (3.1) related to an entity (3.6)
Note 1 to entry: An entity can have more than one identity.
Note 2 to entry: Several entities can have the same identity.
Note 3 to entry: ITU-T X1252 specifies the distinguishing use of an identity. In this document, the term identifier
implies this aspect.
[SOURCE: ISO/IEC 24760-1:2019, 3.1.2]
2
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
3.11
identity or attribute provider service
service that receives attributes (3.1) authorized by the issuer (3.14) and makes these attributes available
to verification applications (3.39) in the operational phase (3.26)
Note 1 to entry: An identity or attribute provider can be deployed as central service or as decentral service by
using a distributed ledger technology managed by the holder.
Note 2 to entry: An attribute provider services provides any kind of attributes (3.1).
Note 3 to entry: An identity provider services makes attributes available that convey identity information.
3.12
ID-provisioning entity
entity that operates all or parts of services of installation phase, (3.13), issuing phase (3.15) and
operational phase (3.26) on behalf of the issuer (3.14)
3.13
installation phase
phase of mobile document system (3.23) that includes the loading of the mdoc app (3.19) and related
software onto the mobile device (3.17)
EXAMPLE Loading an app onto a smartphone or loading an SA­Application (e.g. a Java Card applet) into the
[19]
secure area, e.g. an embedded secure element, is part of the installation phase.
3.14
issuer
entity (3.6) that makes available user attributes (3.1) and credentials (3.5) in the issuing phase (3.15) and
authorizes the instantiation of the mdoc app (3.19)
Note 1 to entry: An issuing authority acts as an issuer.
3.15
issuing phase
phase of mobile document system (3.23) that includes the initial issuing of either user attributes (3.1) or
credentials (3.5) or both into the mdoc app (3.19) and can include the re­issuing of credentials
Note 1 to entry: In literature, issuing of user attributes and credentials is also referred to as provisioning of user
attributes and credentials.
3.16
issuing service
service operated in issuing phase (3.15) that provides all data of a mobile document (3.22) stored either
locally in the mdoc app (3.19) or remotely at an identity or attribute provider service (3.11)
3.17
mobile device
portable computing device that at least: a) has a small form factor such that it can easily be carried
by a single individual; b) is designed to operate, transmit and receive information without a wired
connection; c) possesses local, non­removable or removable data storage; d) includes a self­contained
power source and e) includes means for the holder (3.7) of the portable computing device and the device
to interact with each other
Note 1 to entry: Mobile devices may also include voice communication capabilities, on-board sensors that allow
the devices to capture information, and/or extended computer functionality and connectivity.
Note 2 to entry: Adapted from ISO/IEC 18013-5.
EXAMPLE Smartphones, tablets, and e­readers are mobile devices.
3
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
3.18
discovery service
service operated in issuing phase (3.15) that verifies mdoc app (3.19) characteristics by means of mdoc
app capability descriptor
3.19
mdoc app
application on a mobile device (3.17) that manages user attributes (3.1) and credentials (3.5) for
electronic identification purposes and controls access to the user attributes and credentials whether
the user attributes and credentials are stored on the mobile device, on a server or on an external device
Note 1 to entry: In ISO/IEC 18013-5, mdoc represents mdoc app or mobile eID.
3.20
MCD attestation service
service signing the mdoc capability descriptor
[6]
Note 1 to entry: The mdoc app (3.19) capability descriptor is specified in ISO/IEC TS 23220-3 .
3.21
mdoc app provider service
webservice operated by the mdoc app (3.19) provider in issuing phase (3.15) that controls the issuing of
mobile documents (3.22) into the mdoc app
3.22
mobile document
set of attributes (3.1) and credentials (3.5) issued by one or more issuers into an mdoc app (3.19) and
managed by an mdoc app
Note 1 to entry: A mobile document is considered a digital document. An mdoc app managing more than one
mobile document is also considered an eID­Wallet.
Note 2 to entry: In ISO/IEC 18013-5, mdoc represents mdoc app or mobile eID.
EXAMPLE Mobile documents include eID documents and licenses or certificates that give the holder
permissions.
3.23
mobile document system
mobile eID-System
set of components interacting to manage mobile documents (3.22)
EXAMPLE Components of a mobile document system are mdoc app (3.19), mobile verification application,
issuing service or validation service.
3.24
monitoring service
service operated in issuing phase (3.15) that controls all or parts of a user identification service (3.37),
discovery service (3.18), issuing service (3.16) or MCD attestation service (3.20)
3.25
on-site identification
use case of mobile document system (3.23) that requires a local device-to-device communication for
user identification (3.8) between a mobile device (3.17) providing the mdoc app (3.19) and verifier device
(3.41)
Note 1 to entry: Device-to-device authentication includes the mobile device with mdoc app and the verifier device
with verification application.
4
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
3.26
operational phase
phase of mobile document system (3.23) that includes the usage of the mdoc app (3.19) for the purpose of
user identification (3.8) and authentication (3.3)
3.27
remote identification
use case of mobile document system (3.23) that requires a remote device-to-service communication over
the internet for user identification (3.8) between a mobile device (3.17) and verification application (3.39)
Note 1 to entry: Device-to-service authentication includes the mobile device with mdoc app (3.19) and the
verification application without verifier device.
3.28
remote user storage service
service that manages data storage and that controls access to it
Note 1 to entry: Authorization by the holder is required.
3.29
removal phase
phase of mobile document system (3.23) that includes the removal of the mdoc app (3.19) and related
software as well as user attributes (3.1) and credentials (3.5) from the mobile device (3.17)
3.30
SA-Application
application of the secure area (3.33) that manages credentials (3.5) and that may manage user attributes
(3.1) for user identification (3.8) purposes and can control access to the user attributes
3.31
SA-Application provider service
service that installs SA-Applications (3.30) into secure areas by means of an SA-Client
3.32
secure memory card
non-volatile memory card format, i.e. a Secure Digital (SD) Card, for use in portable devices with
physical sizes “original”, “mini” or “micro” together with a cryptographic module
[SOURCE: NIST SP 800-157 [17]]
3.33
secure area
isolated internal or attached area of a mobile device (3.17) that ensures secure processing and storing of
data even when the primary operating system (OS) is compromised
Note 1 to entry: The primary OS is also referred to as rich OS or high-level OS.
[19] [19]
EXAMPLE A secure element or a Trusted Execution Environment (TEE) serve as an internal secure
area. A universal integrated circuit card (UICC) is considered as an attached secure area of a mobile device.
3.34
server retrieval token
token identifying the holder (3.7) and the mobile document (3.22) to the identity or attribute provider
service (3.11)
3.35
Trusted Execution Environment
TEE
secure area (3.33) of the main processor of a mobile device
5
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC FDIS 23220-1:2022(E)
3.36
TSM-Service
SA­Application provisioning service that allows for loading and installing of SA-Applications (3.30)
according to GlobalPlatform
EXAMPLE JavaCard Applets and Trustlets are SA­Applications.
3.37
user identification service
service operated in issuing phase (3.15) that identifies the holder (3.7) by electronic or non-electronic
means with or without a mobile document (3.22)
3.38
validation service
service or mechanism in operational phase (3.26) that allows for determination of validity of mobile
documents (3.22)
Note 1 to entry: Determination of validity can include revocation status of mobile documents.
EXAMPLE Certificate revocation lists or public key directories can be part of validation services.
3.39
verification application
mdoc reader
application on a verifier device (3.41) or on a remote server validating user attributes (3.1) and credentials
(3.5) retrieved from an mdoc app (3.19) or an identity or attribute provider service (3.11)
Note 1 to entry: mdoc app and a verification application are typically part of a mobile document system.
Note 2 to entry: In ISO/IEC 18013-5 an mdoc reader is defined as a device that can retrieve mdoc data for
verification purposes.
3.40
verifier
entity (3.6) that controls the v
...