Mobile Driving Licenses (mDL)
Mobile driving licenses are government-issued identity credentials carried on mobile devices: useful for narrower proof, dangerous when ordinary life becomes checkpointed.
Definition
A mobile driving license, or mDL, is a driving-license credential provisioned to a mobile device and presented electronically to a verifier. It is not merely a photograph of a plastic card. The useful version is signed by an issuing authority, checked by a reader or wallet flow, and presented through a defined ceremony for who is asking and what the holder releases.
The core international reference is ISO/IEC 18013-5:2021, Personal identification - ISO-compliant driving licence - Part 5: Mobile driving licence (mDL) application. ISO describes that part as defining interfaces between the mDL, reader, and issuing-authority infrastructure. ISO/IEC TS 18013-7:2025 extends the family for presenting an mDL to a reader over the internet. In wallet discussions, the broader credential object is often called an ISO mobile document, or mdoc.
Snapshot
- Credential type: a government-linked digital identity credential derived from a license or ID-card program.
- Main standard: ISO/IEC 18013-5:2021 for the mobile driving license application and reader interfaces.
- Internet presentation: ISO/IEC TS 18013-7:2025 adds mDL presentation to a reader over the internet.
- Web bridge: W3C's Digital Credentials draft includes
org-iso-mdocas a presentation protocol identifier for browser-mediated credential requests. - Trust problem: the hard question is not only whether a signature validates, but whether the verifier is entitled to ask.
How It Works
A typical mDL ecosystem has an issuing authority, holder, mobile wallet or mDL app, verifier, and reader. The issuer provisions the credential. The verifier requests attributes. The holder approves or refuses. The verifier checks origin, integrity, holder binding, and issuer trust under the applicable standard, profile, and local policy.
AAMVA, the American Association of Motor Vehicle Administrators, describes mDLs as using the same data elements as physical licenses while sending data electronically to a relying party's reader. Its Digital Trust Service helps relying parties obtain issuing-authority public keys. That trust-list layer matters because a verifier cannot treat every QR code, app screen, or wallet response as authoritative.
mDLs also sit beside other credential systems. OpenID for Verifiable Presentations 1.0 can request presentations in several formats, including ISO mdoc, W3C Verifiable Credentials, and SD-JWT VC. The W3C Digital Credentials API is a browser mediation layer, not an mDL format; issuer trust, wallet policy, and verifier authorization remain outside the browser alone.
Agent Context
For AI agents, mDLs are an identity boundary. A travel assistant, benefits navigator, insurance workflow, rental-car agent, or age-gated commerce flow may encounter a request for a license attribute. The agent should not treat that prompt as an ordinary click. It may expose legal name, birth date, address, portrait, document number, driving privilege, or a derived yes-or-no claim.
The safer role for an agent is clerical and adversarial: summarize who is asking, identify requested attributes, compare the request with policy, propose minimal disclosure, and preserve refusal. Silent presentation should be limited to narrow, pre-approved cases with a relying party, purpose, attribute set, retention rule, and audit trail.
Governance and Safety
The promise of mDLs is data minimization. A verifier that only needs to know "over 21" should not need a full birth date, address, license number, and portrait. Standards and wallets can support selective release, but they do not automatically force restraint. A valid request can still be excessive.
The risk is proof hunger. Once identity presentation becomes smooth, landlords, platforms, employers, schools, venues, and websites may ask for government-linked credentials where a weaker signal, or no identity proof, would be enough. That shifts civic life toward routine checkpointing.
There is also a surveillance risk. Verifier logs, issuer status checks, wallet telemetry, stable document identifiers, and repeated attribute disclosure can make credential use linkable. Offline, local, or encrypted presentation can reduce exposure, but policy still has to control retention, secondary use, compelled disclosure, and alternatives for people without compatible devices.
Verification Pattern
- Name the layer: distinguish ISO mdoc format, mDL reader, wallet, browser API, presentation protocol, issuer trust list, and relying-party policy.
- Minimize the claim: request a predicate or narrow attribute instead of the whole credential whenever possible.
- Authenticate the verifier: require more than a syntactically valid request; verify who is asking and why.
- Record the ceremony: log verifier, purpose, attributes requested, attributes released, agent involvement, retention period, and refusal path without storing the full credential by default.
- Keep fallback alive: preserve physical, human-reviewed, and appealable alternatives.
Source Discipline
Claims about mDLs should name the layer and source: ISO/IEC 18013-5 for application interfaces, ISO/IEC TS 18013-7 for internet presentation, AAMVA for North American implementation guidance and trust services, OpenID4VP for wallet-mediated presentation, and W3C Digital Credentials for browser mediation. Do not collapse those into one universal wallet system.
Spiralist Reading
Spiralism reads the mDL as a hinge between proof and permission. The humane version lets a person prove less with clearer ceremony. The dangerous version makes state identity a casual toll booth for ordinary life. Machine-mediated society needs proof minimization, not proof appetite.
Open Questions
- Which services should be forbidden from requesting mDL attributes?
- How should wallets show verifier authority, purpose, and retention in plain language?
- What should an AI agent be allowed to summarize, block, or approve?
- How should people appeal a wrong, expired, revoked, or over-requested credential decision?
- Which logs prove accountability without becoming a tracking system?
Related Pages
- Digital Credentials API
- Digital Identity
- EU Digital Identity Wallet
- OpenID for Verifiable Presentations
- SD-JWT VC
- Verifiable Credentials
- Decentralized Identifiers
- NIST Digital Identity Guidelines
- AI Agent Identity
- Data Minimization
- Contextual Integrity
- Age Assurance
Sources
- ISO, ISO/IEC 18013-5:2021 - Personal identification - ISO-compliant driving licence - Part 5: Mobile driving licence (mDL) application.
- ISO, ISO/IEC TS 18013-7:2025 - Personal identification - ISO-compliant driving licence - Part 7: Mobile driving licence (mDL) add-on functions.
- AAMVA, Mobile Driver License.
- AAMVA, Mobile Driver License Digital Trust Service.
- W3C, Digital Credentials, W3C Working Draft, June 16, 2026.
- OpenID Foundation, OpenID for Verifiable Presentations 1.0, Final specification.