I built my first mDL demo, and the seamlessness is what hooked me
I wanted to see it for myself, so I built a demo.
The setup was simple. A simulated online store selling something age-restricted, alcohol, with a checkout that asked for a mobile driver's license instead of the usual "type your birthday and hope." I walked the whole thing end to end, playing both sides: the shopper presenting a credential, and the store verifying it.
I expected it to feel clunky. It did not.
What I shared was one fact: am I over 21. That was it. Not my name, not my address, not my license number, not even my actual birthday. The store got a signed yes. In a real deployment that yes would be cryptographically tied back to the state that issued the credential, so the vendor could trust it was real without me handing over a single extra detail. Share the minimum, prove it is genuine, move on.
After that I was hooked.
I started chasing where else this was happening. Online vendors running age checks. Airports. Law enforcement and traffic stops. Commercial building access. Car rentals. The same primitive kept showing up in completely different industries: prove one attribute, keep the rest.
The rabbit hole got deeper when I found MATTR, a company out of New Zealand doing this at the national level. New Zealand's Department of Internal Affairs picked them to build the country's digital credential platform, and their NZ Verify app can already check mDLs from other countries and US states. One of the states it verifies? Maryland. My license, checkable on the other side of the world.
So I spent a few weeks just reading. The ISO 18013-5 standard that defines the mDoc format. The NIST NCCoE project writing the playbook for how organizations should actually accept these things. OpenID4VP, the protocol for presenting a credential online.
And the more I read, the more one question started bothering me. It still does.
Why is every state building this differently?
Different wallets, different architectures, different readings of the same standards. If I run a business that wants to accept an mDL, I should be able to integrate once and verify a credential from Maryland or California or Georgia the exact same way. Instead the landscape is fragmented, and the thing standing between "cool demo" and "real infrastructure" is not the cryptography. The cryptography works. It is the absence of a boring, shared, industry-ready standard that everyone actually implements the same way.
That gap is the part I cannot stop thinking about. It is most of why I do what I do now.
~ Malik
Comments
Loading comments...
