ISO/IEC 18013-3:2017/Amd 2:2023

INTERNATIONAL ISO/IEC
STANDARD 18013-3
Second edition
2017-04
AMENDMENT 2
2023-04
Information technology — Personal
identification — ISO-compliant driving
licence —
Part 3:
Access control, authentication and
integrity validation
AMENDMENT 2: Updates for passive
authentication
Reference number
ISO/IEC 18013-3:2017/Amd. 2:2023(E)
© ISO/IEC 2023
ISO/IEC 18013-3:2017/Amd. 2:2023(E)
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved

ISO/IEC 18013-3:2017/Amd. 2:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, SC 17,
Cards and security devices for personal identification.
A list of all parts in the ISO/IEC 18013 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iii
© ISO/IEC 2023 – All rights reserved

ISO/IEC 18013-3:2017/Amd. 2:2023(E)
Information technology — Personal identification — ISO-
compliant driving licence —
Part 3:
Access control, authentication and integrity validation
AMENDMENT 2: Updates for passive authentication

Page 2, Clause 2 Normative references
Replace
"FIPS 186-2 (including Change Notice), Digital Signature Standard (DSS), Federal Information
Processing Standards Publication, National Institute of Standards and Technology, 27 January 2000"
with
"FIPS 186-4 (including Change Notice), Digital Signature Standard (DSS), Federal Information
Processing Standards Publication, National Institute of Standards and Technology, July 2013"

Page 4, subclause 3.11
Replace
Note 1 to entry See 8.1.
with
Note 1 to entry See 8.1 and Annex G (informative).

Page 12, subclause 8.1
Replace
8.1  Passive authentication
with
8.1  Passive authentication (ver 02)

Page 12, subclause 8.1.1
Add the following paragraph at the end of the subclause:
This version 02 of passive authentication supersedes the deprecated version 01 included in Annex G
(informative) for the information of manufacturers of readers that must be able to read IDL cards
issued in accordance with this version that have not yet expired.

© ISO/IEC 2023 – All rights reserved

ISO/IEC 18013-3:2017/Amd. 2:2023(E)
Page 13, subclause 8.1.3
In the third to last paragraph, second sentence, replace
“…it may be possible to further narrow down the cause of the non-verification.”
with
“…it can be possible to further narrow down the cause of the non-verification.”

Page 13, subclause 8.1.4.1
In the first paragraph, delete “SHA-1, SHA-224,”.
In the second paragraph, delete "SHA-1 remains for compatibility with ICAO Doc 9303-1."

Page 16, subclause 8.1.5.1
In NOTE 2 replace
“Data Groups 15 and 16 may be defined in future.”
with
“Data Groups 15 and 16 can be defined in future.”

Page 16, subclause 8.1.5.2
In the first NOTE replace "DG11" with "DG.SOD.1 and DG.SOD.H".
In the second paragraph, replace "FIPS 186-2, Appendix 6” with "Table 3".
In the third paragraph, delete “and one Type 1 data group”.
In the lettered list, replace b) with:
“b)  DG.SOD.H:  SHA-256 hash of IA public key certificate that contains the public key for the
verification of the DG.SOD.1 signature; the hash value shall be calculated over the entire DER-
encoded certificate (including the signature);”
In the lettered list, delete c).
Under "DG.SOD shall be added after DG12, as follows:", replace with:
“[header] × [Data Group 1] × [Data Group 2] × [Data Group 3] × [Data Group 4] × [Data Group 7] ×
[Data Group 11] × [Data Group 12] × [DG.SOD.1 length] [digital signature] × [DG.SOD.H length]
[hash value]”
Under the content of DG.SOD, replace “The inclusion of DG.SOD.2 and DG.SOD.3 (as a pair) is optional.”
with "DG.SOD.1 and DG.SOD.H shall be included."
In the second NOTE replace “specifically the ISO issuer ID number and document discriminator in
DG3 and the licence number and date of issue in DG1” with “specifically the ISO issuer ID number from
ISO/IEC 7812-1, and document discriminator in DG3 and the licence number and date of issue in DG1”.
Replace Table 3 with:
© ISO/IEC 2023 – All rights reserved

ISO/IEC 18013-3:2017/Amd. 2:2023(E)
Curve name in FIPS 186-4 Curve name in RFC 5639
P-224 brainpoolP224r1
P-256 brainpoolP224t1
P-384 brainpoolP256r1
P-521 brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1
Replace the EXAMPLE with:
EXAMPLE Suppose that a compact encoded data string contains the following data groups: DG1, DG2,
DG7, DG.SOD.1 and DG.SOD.H. A digital signature and public key certificate hash is included.
The sequence of data groups and data group delimiters will be as follows:
[header] × [DG1] × [DG2] × × × [DG7] × × × [DG.SOD.1] × [DG.SOD.H] ¶

Page 46, A.5.1, second list b) second paragraph
Replace
"For compact encoding, the appropriate public document key is identified by comparing the issue date
of the IDL with the “valid for signing from” and “valid for signing until” dates of the available public
document keys of the IA."
with
"For compact encoding, the appropriate public document key can be identified using the hash value of
the signer certificate."
Bibliography
Add new entry
[13] ISO/IEC 7812-1, Identification cards — Identification of issuers — Part 1: Numbering system

After Annex F
Add new Annex G.
© ISO/IEC 2023 – All rights reserved

ISO/IEC 18013-3:2017/Amd. 2:2023(E)
Annex G
(informative)
Passive authentication (version 01)
G.1 General
This annex defines the deprecated passive authentication (ver 01) for the information of manufacturers
of readers that must be able to read IDL cards issued in accordance with this version that have not yet
expired.
G.2 Purpose
The purpose of passive authentication is to confirm that machine-readable data has not been changed
since the IDL was issued.
G.3 Applicability
Passive authentication is applicable to all machine-readable technologies.
G.4 Description
Passive authentication is implemented by way of a digital signature over specified machine-readable
data on the IDL, using a public-private (asymmetric) key pair.
In the case of standard encoding, a separate message digest is calculated for each data group and
included in the machine-readable data. The collection of message digests is then digitally signed (using
a private key that is kept secret by the IA) and the digital signature is added to the machine-readable
data.
In the case of compact encoding, no message digests are calculated separately. The contents of the
data groups present is directly signed (using a private key that is kept secret by the IA) and the digital
signature is added to the machine-readable data.
NOTE A message digest has the following properties:
a) It is very small in size compared to the IDL data.
b) The probability of finding any two (different) IDL data sets that lead to the same message digest is negligible.
This has the following implications:
1) The probability of finding an IDL data set A that produces the same message digest as a given IDL data
set B is ne
...