Understand the mDL data model: the document is encoded as CBOR, structured as a MobileDocument with a docType (org.iso.18013.5.1.mDL), issuerSigned namespaces containing IssuerSignedItems, and a DeviceAuth section
For online presentation via OID4VP, the verifier sends a presentation request with input_descriptor specifying the doctype and requested namespaces/element_identifiers
The wallet constructs a DeviceResponse CBOR structure, selecting only the requested data elements and computing a DeviceAuth signature over SessionTranscript binding the response to the request
The DeviceAuth uses ECDSA with the device key from the MSO (Mobile Security Object); the MSO is signed by the issuer and contains the device public key and the digests of the issued data elements
Verify the response: check the issuer signature on the MSO against a trusted issuer CA, recompute the digest of each disclosed IssuerSignedItem and compare to the MSO digest map, then verify DeviceAuth over the session transcript
For the ISO 18013-7 online engagement, the verifier engagement is included in the OID4VP request; bind the session using the protocol-defined SessionTranscript that incorporates both verifier and device engagement data
Known gotchas
ISO 18013-5 defines proximity presentation (BLE/NFC); ISO 18013-7 extends it for online/internet-based presentation — ensure you are implementing the correct part for your use case
CBOR encoding pitfalls are common: element_identifier values are case-sensitive strings defined by the standard (e.g. 'family_name', 'document_number'); misspellings cause silent data element omission
The MSO contains a validity range (validFrom/validUntil) for each issuerAuth signature; a valid credential with an expired MSO should be treated as invalid
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp