Verifiable Credentials and ISO/IEC 18013-5-Based Credentials: What’s the Difference?

Digital credentials are evolving rapidly, which has brought a lot of uncertainty to industry stakeholders.

This is especially true for the two most influential standards: 

• Verifiable Credentials defined by the World Wide Web Consortium (W3C).
• ISO/IEC 18013-5-based credentials, often called “mobile driving licenses” (mDL).

Let’s take a brief look at the key characteristics of both specifications.

The two standards at a glance

The ISO/IEC 18013 group of standards outlines the technical and operational requirements for physical and mobile driving licenses. The mdoc format, detailed in ISO/IEC 18013-5, defines the structure and specifications for mobile driving licenses and possibly other mobile credentials. It’s important to note that the standard uses two different terms: "mdoc" refers to all mobile credentials, while "mDL" is specific to mobile driving licenses. For simplicity, we'll use mDL throughout this blog post. 

The Verifiable Credentials Data Model (VC) is an open standard that supports all types of credentials, from government-issued IDs to academic certifications to membership cards.

In the upcoming sections, we focus on how these standards compare.

1. Intended use cases

• W3C Verifiable Credential specification provides a mechanism for expressing any type of web credential in a cryptographically secure, privacy-preserving, and machine-verifiable way. Its use cases extend beyond electronic passports and financial credentials to include compliance credentials for IoT devices and many more.
  
  
• ISO/IEC 18013-5 is specifically designed to represent driving licenses and other official IDs in a mobile format. It supports 'secondary use cases' beyond driving, such as proving identity or age.

2. Standardizing organization

• The World Wide Web Consortium (W3C) is the main international standards organization for the web, known for foundational standards like HTTP, HTML, etc. W3C standards are openly accessible and always free.
  
  
• The International Standards Organization (ISO) is an independent non-governmental international standard development organization composed of representatives from the national standards organizations of member countries. Standards are developed by groups of experts called “technical committees” and payment is required to access them.

3. Background

The W3C VC and the ISO/IEC mDL had very different starting points. The former focused on remote and online scenarios, while the latter targeted in-person use cases. Although both standards have since expanded to address each other’s domains, their distinct origins have shaped their design.

• The first digital credentials emerged when issuers of physical credentials began offering electronic versions. This started over 20 years ago with bank cards and SIM cards, followed by healthcare cards, electronic passports, etc. Over time, credentials became increasingly digitized and stored on mobile devices, similar to how payment data is stored in Apple Pay or Google Wallet. The latest step in this progression is ISO/IEC 18013-5, which formalizes the mobile driving license (mDL). Developed by a working group within the International Organization for Standardization, ISO/IEC 18013-5 defines how a physical driving license (ISO/IEC 18013-1) can be securely stored and shared on mobile devices.
  
  
• The story of Verifiable Credentials is quite different. Before the W3C’s VC specification, the internet lacked a layer of open protocols with sufficient user control and a seamless digital identity experience. The VC Data Model was created to address this gap. Unlike mDLs, Verifiable Credentials are not a digitized evolution of physical documents. Instead, they provide a framework for any person or entity to issue digital claims about any subject while preserving the subject's privacy. Verifiable Credentials can support offline use, but this is an expansion of their original purpose.

4. Scope and specificity

• The scope of the VC Data Model is much narrower than that of ISO/IEC 18013-5. As the name suggests, it only defines the data structure and does not specify syntax, communication protocols, or security mechanisms. This flexibility allows it to adapt to various technologies and use cases. But it also means that different VC implementations may not work together unless they adhere to additional, use case-specific standards.
  
  
• In contrast, ISO/IEC 18013-5 defines communication protocols, data formats, and security measures. Its goal is to achieve interoperability by making concrete choices in all mentioned areas.

5. Ecosystem

Although the specifications use different terminology, both verifiable credentials and mobile driving licenses operate within a three-party model that consists of an issuer, holder, and verifier.

In the VC ecosystem, the issuer, holder, and verifier interact peer-to-peer, and a Verifiable Data Registry (VDR) serves to establish trust. The VDR may use blockchain or other technologies. 

The mDL ecosystem includes the issuing authority, the mDL holder, and the mDL reader that performs verification.

In addition to being structurally similar, both ecosystems share the following characteristics. 

The holder plays a central role in both. The issuer provides the credential, which is then stored by the holder on a device or in a repository they control. Only the holder decides which verifier to release the credentials to. The issuer cannot share the credential with a verifier without the holder's knowledge and consent. Additionally, the issuer (or any other party) cannot see when a holder shares a credential with the verifier. The same applies to an mDL when the holder and the mDL reader use device retrieval.

The Verifiable Data Registry (VDR) in the VC ecosystem can be compared to the Verified Issuer Certificate Authority List (VICAL) in the ISO 18013-5 ecosystem. Both help establish trust and ensure the integrity of the credentials. But unlike the VDR in the VC model, VICAL in the ISO 18013-5 is optional.

There are also several differences:

1. Server retrieval: ISO/IEC 18013-5 allows credentials to be retrieved by the verifier directly from the issuer, though only with the holder’s consent. In this case, the issuer knows when and by whom the mDL is used. This is not an option in the VC model.
   
   
2. Credential storage: In the VC model, holders can store credentials in any location, such as a file system, a storage vault, or commonly, a digital wallet. In contrast, ISO/IEC 18013-5 requires them to be stored on the original mobile device or a server managed by the issuing authority. This limits the holder's control but reduces the risk of a malicious party reusing the credentials.

6. Privacy

Under both the ISO/IEC 18013-5 and W3C Verifiable Credential specifications, the holder is in control of their credentials. Issuers cannot disclose the credentials to a verifier without the holder’s consent. The holder can check and manage the release of any data elements to the verifier. Both specifications support privacy-enhancing measures like data minimization and selective disclosure.

ISO/IEC 18013-5 improves privacy by allowing offline use without issuer involvement. The standard also recommends ephemeral session keys, OpenID Connect pairwise identifiers, and key rotation to prevent transactions from being linked or correlated.

In the case of Verifiable Credentials, the holder also controls credential release. Selective disclosure is possible, e.g. with zero-knowledge proofs. The VC model promotes data minimization and requires a consent mechanism, though it doesn’t specify implementation details. VCs can be used offline if the verifier can access the Verifiable Data Registry (VDR). The specification emphasizes the use of globally unique identifiers, such as Decentralized Identifiers (DIDs), for credential subjects. DIDs are designed to be persistent and verifiable, which enables secure interactions while respecting privacy.

In short, both models focus on privacy and minimizing data exposure but use different technical approaches to achieve these goals. At the same time, some aspects have raised serious concerns from privacy advocates.

7. Security measures

• ISO/IEC 18013-5 outlines mandatory security mechanisms for all transactions covered by the standard. These are designed to protect against a range of threats, including loss of authenticity and credential cloning.
  
  
• The VC Data Model ensures the authenticity of a verifiable credential through cryptographic proof, but it does not specify a particular proof mechanism. Implementers can choose options like digital signatures within a Public Key Infrastructure or zero-knowledge proofs. While the VC Data Model requires verifiable proof of authenticity, additional security protections may have to adhere to other, use case-specific standards.

For a comprehensive overview of privacy and security aspects, refer to the UL white paper.

8. Interoperability

• The ISO/IEC 18013-5 standard fully specifies the transactions between an mDL, an mDL reader, and an mDL issuing authority. This ensures interoperability across different jurisdictions, so mobile driver’s licenses issued in one country or state can be read and verified in others if they follow the same ISO standard.
  
  
• In contrast, the W3C VC Data Model is designed for use across a broad range of platforms, websites, and services, from government agencies to businesses and local services. Interoperability across all implementations is not guaranteed unless they adhere to additional standards or specifications.

Why it matters and what happens next

The Verifiable Credential Data Model and the ISO/IEC 18013-5 standard are redefining digital identity management worldwide.

The upcoming European Digital Identity (EUDI) wallet will support use cases across sectors like education, social security, financial transactions, and more. The wallet will leverage the VC Data Model, and its Architecture and Reference Framework explicitly mentions the W3C and ISO standards as part of its vision for a unified digital identity ecosystem.

In the United States, the ISO/IEC 18013-5 standard facilitates the adoption of mobile driving licenses, with many state Departments of Motor Vehicles (DMVs) developing their own apps for mDLs. Major tech companies, including Apple and Google, are integrating support for mDLs into their platforms.

These developments mark an important moment when years of standardization work are translating into real-world applications. The digital identity of tomorrow is no longer a distant idea—it’s already within reach.