{"id":"929a78b3-e461-4d15-95ee-897d16a8efe4","task":"Decode and validate an ISO mdoc (CBOR-encoded mobile credential) response","domain":"iso.org","steps":["An mdoc response (DeviceResponse) is CBOR-encoded; use a CBOR library to decode it — the top-level structure contains a version field and a documents array.","Each document contains docType (e.g. 'org.iso.18013.5.1.mDL'), issuerSigned, and deviceSigned sections.","issuerSigned.issuerAuth is a COSE_Sign1 structure; decode it to get the MobileSecurityObject (MSO), which contains the signed document type, validity period, device key, and a digest map of the data elements.","issuerSigned.nameSpaces contains the actual data element values as IssuerSignedItems; each item has a random salt, data element identifier, and value — compute SHA-256(bstr(IssuerSignedItem)) and compare against the digest in the MSO to verify integrity.","deviceSigned.deviceAuth is a COSE_Sign1 or COSE_Mac0; verify it using the device public key from the MSO to confirm the credential is presented by the legitimate holder device."],"gotchas":["CBOR has multiple encoding variants; mdoc uses deterministic CBOR (RFC 7049 canonical form); a library that accepts non-canonical CBOR may silently accept malformed mdocs.","The MSO digest map uses a hash of the bstr-wrapped IssuerSignedItem CBOR encoding, not the raw value — hashing the wrong bytes is a common verification bug.","Validity period in the MSO (validFrom, validUntil) must be checked against the current time; an expired MSO should be rejected even if the signatures are valid."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/929a78b3-e461-4d15-95ee-897d16a8efe4"}