ISO/IEC TS 23220-2:2024

Technical
Specification
ISO/IEC TS 23220-2
First edition
Cards and security devices for
2024-11
personal identification — Building
blocks for identity management via
mobile devices —
Part 2:
Data objects and encoding rules for
generic eID systems
Cartes et dispositifs de sécurité pour l’identification des
personnes — Blocs fonctionnels pour la gestion des identités via
les dispositifs mobiles —
Partie 2: Objets de données et règles d'encodage pour les systèmes
eID génériques
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Symbols and abbreviated terms. 3
5 General . 3
6 Data model . 5
6.1 General .5
6.2 Data format and encoding rules .6
6.2.1 Identifier .6
6.2.2 Field format .6
6.2.3 Encoding .6
6.2.4 namespace . .7
6.3 Standard meta-attributes .7
6.3.1 Meta attributes for person entity — personal attributes .7
6.3.2 Attribute statement .11
6.3.3 Meta-attribute for issuer entity . 13
6.3.4 Data elements for document entity . 13
6.3.5 Data elements for document authenticity .14
6.4 Data element for level of confidence . .14
7 Cipher suites . 14
7.1 General .14
7.2 Elliptic curves .14
7.3 TLS . 15
7.4 Digest algorithms . 15
7.5 Signature algorithms . 15
7.6 HMAC algorithm .16
8 Generic data models . 16
8.1 General .16
8.2 mdoc data model .16
8.2.1 General .16
8.2.2 CBOR encoding .16
8.2.3 JSON conversion .17
8.3 JSON data model .19
8.3.1 General .19
8.3.2 Issuer-signed .19
8.3.3 Holder-signed . 20
Annex A (informative) Examples .22
Bibliography .24

© ISO/IEC 2024 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and security devices for personal identification.
A list of all parts in the ISO/IEC 23220 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
iv
Introduction
Electronic ID-Applications (eID-Apps) are today commonly used in badges and ID cards with integrated
circuits and allow users to complete electronic identification, authentication, or optionally, to create digital
signatures. Many different application areas have an essential need for these mechanisms and use different
means to provide these features (e.g. health system with health assurance cards or health professional
cards, financial sector with payment cards, governmental ID with national ID cards, electronic passports
or driver's licenses, educational systems with student cards or library cards, in the company sector with
employee cards and in the private sector with any kind of member cards).
Mobile devices (e.g. mobile phones or smart phones, wearable devices) are a central part of the daily life for
many individuals. They are not only used for communication, but also for emailing, access to social media,
gaming, shopping, banking, and storing of private content such as photos, videos and music. They are used
today as a personal device for business and private applications. With the ubiquity of mobile devices in
day-to-day activities there is a strong demand from users to have eID-Apps or services with identification/
authentication mechanisms on their mobile equipment, i.e. an mdoc app.
An mdoc app can be deployed to provide a number of different digital ID-documents. Additionally, it can
reside among other eID-Apps on a mobile device. Moreover, users can possess more than one mobile device
holding an mdoc app, which leads to enhanced mechanisms for the management of credentials and attributes.
The technical preconditions for the deployment of mdoc apps exist and they are partly standardized to
support security and privacy on a mobile device. Examples for containers of eID-App solutions are the
software-based Trusted Execution Environment (TEE), hardware-based secure elements such as universal
integrated circuit card (UICC), embedded or integrated UICC (eUICC or iUICC), embedded secure elements,
secure memory cards with cryptographic module or other dedicated interna
...