What is the mDL standard

Mobile Driving License (mDL – ISO/IEC 18013-5) is an ecosystem and certificate model that enables drivers’ licenses to be issued, presented and verified using mobile devices. The mDL model relies on an X.509-based PKI and well-defined certificate types and Extended Key Usages (EKUs) to provide device attestation (provenance), JWS-based data signing, reader authentication, and operational credentials for secure presentation and verification.

mDL deployments typically require:

  • Manufacturer / issuer attestation (IACA)

  • Device or document signing certs (for mDL payloads)

  • Reader and TLS client authentication certs for interoperable verification

  • Robust key management, secure issuance and revocation channels

"A global trust framework that lets identity travel securely with the citizen"

Khatim PKI Server - Mobile Driving License (mDL) Integration - ISO-IEC 18013-5

Why mDL PKI matters – purpose & benefits

  • Provenance & anti-fraud: Attestation chains prove a device and its software originate from a trusted manufacturer/issuer.

  • Privacy & selective disclosure: mDL solutions can enable controlled data disclosure (via JWS/credential formats) rather than exposing full identity artifacts.

  • Interoperability: Standard EKUs and certificate profiles let verifiers (apps, readers, authorities) rely on consistent semantics across vendors and regions.

  • Auditability & legal confidence: Proper PKI lifecycles, HSM-bound keys and signed issuance logs produce defensible evidence for regulators.

  • Scalability: Automated issuance and template-driven workflows support mass issuance across jurisdictions and device models.

How Khatim PKI Server supports mDL PKI

Khatim PKI Server includes template support, key management controls, and policy flows tailored to mDL requirements. Key capabilities:

Templates & certificate types

Khatim provides built-in templates for mDL workflows including:

  • IACA Root CA – root attestation authority template for manufacturers/issuers.

  • IACA Link – link certificates used in rekey and attest workflows; when chosen, Khatim ensures the EKU is set appropriately for IACA Link certificates.

EKUs (preconfigured drop-down in templates)

Khatim includes the standard mDL EKUs so templates are consistent with the spec:

  • 1.0.18013.5.1.2 – mdlDS – Mobile Drivers License Document Signer Certificate

  • 1.0.18013.5.1.3 – mdlJWS – Mobile Drivers License JWS Certificate

  • 1.0.18013.5.1.6 – IACA link certificates – Mobile Drivers License Link Certificate

  • 1.0.18013.5.1.4 – mDL Reader authentication – Mobile Drivers License Reader authentication and TLS client auth Certificate

These EKUs are available in the Certificate Template editor so each issued certificate conforms to the expected purpose.

Algorithm & key controls

Khatim enforces safe crypto choices for mDL profiles:

  • IACA Root CA rule: only ECDSA algorithms are enabled for IACA Root templates – Brainpool and NIST curves are supported (e.g., brainpool_p_r1, curve P-256/P-384 etc.). This aligns with many mDL and attestation recommendations favoring EC curves for compact keys and wide compatibility.

  • Key Vault / HSM mapping: root and intermediate attestation keys are generated or imported into HSM Key Vaults and never leave hardware.

Rekeying & creating IACA Link certificates  (flow)

When a rekey happens for an IACA Root CA, the mDL spec expects a link certificate to be created to preserve continuity. Khatim supports this via a controlled rekey workflow:

Rules & behavior

  1. PKI Admin initiates the Rekey operation on the IACA Root CA.

  2. If the rekey target is an IACA Root CA, the admin must choose the IACA Link template for the resulting link certificate. (Khatim will enforce template selection.)

  3. The newly generated link certificate is signed by the rekeyed CA (not self-signed). Khatim uses the Issuer DN of the CA being rekeyed for the link certificate’s issuer fields.

  4. When the IACA Link type is used, Khatim automatically sets the EKU to the IACA Link EKU and applies the template rules (ECDSA constraints, DN defaults matching the rekeyed IACA Root, etc.). The Subject DN defaults to the Rekeyed IACA Root’s subject but remains editable if special cases demand it.

This flow ensures continuity of attestation and aligns rekey operations with the trust expectations of mDL verifiers.

Operational & compliance notes

  • HSM protection: generate root & PAI keys inside HSMs or cloud KMS to meet strong custody requirements.

  • Audit trails: use Certificate Provider transaction logs for evidence of issuance, rekey, and link certificate creation.

  • Template governance: lock templates used for IACA Root & Link operations to prevent accidental misconfiguration.

  • Interoperability testing: validate signed DACs and link behavior with target verifiers/readers prior to production roll-out.

Summary

Khatim PKI Server provides the building blocks needed to implement an mDL PKI: templates for IACA Root and Link certificates, EKU support for mDL roles, enforced template rules (ECDSA + curve choices), controlled rekey flows that produce signed IACA Link certificates, and HSM-protected key management. Together these features let issuers deploy attestation and operational credential lifecycles that support secure, privacy-respecting mobile driving licenses.

"From root to reader - build the complete mDL trust chain with confidence"

Words from Client

Leading companies rely on us for their PKI and digital signature needs

We were struggling with our PKI implementation when Codegic came to the rescue. They not only sorted our technical issues but also designed the whole PKI for the infrastructure.

Hemal Patel, CEO, Ray Pte. Ltd.