mdoc (ISO 18013-5)

mdoc is a credential format defined in the ISO 18013-5 standard, originally developed for mobile driving licences (mDL) and subsequently adopted as one of the two mandatory credential formats for the European Digital Identity Wallet alongside SD-JWT. Unlike SD-JWT, which is based on JSON and the JOSE standard family, mdoc uses CBOR (Concise Binary Object Representation) for data encoding and COSE (CBOR Object Signing and Encryption) for cryptographic operations. This makes mdoc particularly efficient in terms of data size, an important consideration for offline and proximity-based scenarios where data is exchanged via NFC or Bluetooth.

mdoc structures credentials into namespaces and data elements, each of which can be independently disclosed, providing built-in selective disclosure at the attribute level. The format supports device authentication (proving the credential is presented from the authorised device), issuer authentication (proving the credential was issued by a legitimate issuer), and session encryption for secure proximity exchanges. The ARF specifies that the EUDIW must support both mdoc and SD-JWT, with mdoc being particularly suited for offline verification, in-person checks, and scenarios where bandwidth is constrained.

For implementers, mdoc requires working with CBOR libraries and understanding the ISO 18013-5 data model, which differs significantly from the JSON-based web ecosystem most developers are familiar with. However, the format's efficiency and its design for real-world presentation scenarios (e.g.

, showing your ID at a border or a shop) make it indispensable in the EUDIW ecosystem. Organisations that operate in physical verification contexts, such as border control, age verification at point of sale, and law enforcement checks, will particularly need to support mdoc.