Skip to main content

Introduction to Verified Issuer Certificate Authority List (VICAL)

A VICAL (Verified Issuer Certificate Authority List) is a cryptographically signed, authoritative list of trusted certificate authorities that simplifies the verification of digital credentials—most notably mobile driver’s licenses (mDLs)—across multiple jurisdictions and issuers. It plays a central role in scaling trust and interoperability in modern mobile identity ecosystems.

Purpose and Context

In digital identity ecosystems where multiple authorities independently issue digital ID documents—such as driver’s licenses, national ID cards, or veteran cards—each authority typically operates its own Issuing Authority Certificate Authority (IACA). For example, in a country where different public entities are responsible for issuing various types of digital ID documents, the government must manage and control which organizations are authorized to issue specific credentials. This is where a Verified Issuer Certificate Authority List (VICAL) becomes essential, enabling centralized governance over who can issue what within the digital identity ecosystem.

A widely recognized example of this model is found in the United States, where the American Association of Motor Vehicle Administrators (AAMVA) maintains a VICAL of state-level authorities that are authorized to issue mobile driver’s licenses (mDLs). This federated approach allows verifiers—such as law enforcement, border agents, or service providers—to easily validate the trustworthiness of credentials without needing to manage direct trust relationships with every individual issuer.

VICAL addresses this problem by consolidating trusted IACAs into a single list. Verifiers only need to trust the VICAL provider rather than each individual issuer. This centralization of trust relationships dramatically simplifies verification processes and enables cross-border interoperability.

How VICAL Works

The VICAL process includes several key steps that support consistent and secure credential verification:

  • Collection and Validation

    VICAL providers gather public keys and metadata from recognized IACAs. Each is validated and linked to specific types of mobile credentials (e.g., mDL, mPass).

  • Cryptographic Signing

    The complete list is digitally signed by the VICAL provider. This signature acts as a trust anchor, allowing verifiers to validate the integrity and authenticity of the list itself.

  • Distribution to Relying Parties

    Verifiers retrieve the signed VICAL—often via download or API. The VICAL serves as the single source of truth for validating incoming credentials.

  • Credential Verification

    When a credential is presented, the verifier checks:

    • That the issuing authority appears in the VICAL.

    • That the IACA is valid for the credential type.

    • That the credential’s signature chain resolves to a public key listed in the VICAL.

This model enables decentralized issuance while preserving centralized, scalable trust verification.

Technical Structure

VICAL is designed with standardization and automation in mind:

  • Format

    The list uses a signed, machine-readable format (e.g., COSE_Sign with embedded X.509 public keys), as defined in ISO/IEC 18013-5 for mobile driver licenses.

  • Metadata

    Each VICAL includes a version identifier, provider name, issuance timestamp, expiration timestamp, and a unique list identifier.

  • Records

    Each entry contains issuer information, credential type(s), IACA public key, validity periods, and associated digital signatures.

  • Update Mechanisms

    VICALs are versioned and regularly refreshed to support key rotation and dynamic inclusion or removal of issuers.

Governance and Operation

National or regional bodies manage VICALs within broader Digital Trust Service (DTS) infrastructures. For example:

  • In North America, the American Association of Motor Vehicle Administrators (AAMVA) operates a VICAL to support the rollout of mobile driver’s licenses (mDLs). AAMVA maintains a trusted list of all state-level issuers authorized to issue mDLs, allowing verifiers—such as law enforcement or service providers—to confirm the legitimacy of credentials issued across different states.

  • In Australia, Austroads coordinates the VICAL for domestic digital credentials.

While some regions like North America use VICAL-based trusted lists to manage mobile driver’s licenses (mDLs), others take different approaches. For example, New Zealand does not currently have a centralized VICAL for mDLs, and South Korea has implemented mDLs using blockchain technology, which allows decentralized trust management without relying on traditional VICAL trusted lists.

There are multiple trust frameworks available for managing mobile driver’s licenses and digital identifiers. OpenID Federation is a modern and flexible approach that supports dynamic metadata and automated trust relationships, which we promote as a preferred solution. ETSI Trusted Lists (TLs) are another option, though they were primarily designed for the European Union and may not be as applicable in other regions.

These governing bodies ensure only vetted, compliant authorities are listed, preserving trust across the ecosystem.

Practical Impact

VICAL is one of several frameworks designed to support digital trust at scale:

  • Interoperability:

    VICAL enables verifiers in one jurisdiction to recognize mobile driver’s licenses (mDLs) issued in another, provided both are covered by the same or federated VICALs. This supports cross-border identity verification where adopted.

  • Operational Efficiency:

    By centralizing trust decisions at the VICAL level, relying parties can avoid onboarding every individual issuer separately, simplifying trust management.

  • Transparency:

    Tools like VICAL Viewers present trusted lists in human-readable formats, facilitating audits and governance oversight.

While VICAL is part of relevant ISO standards and is expected to be adopted by additional countries, it is one option among many. In most digital identity ecosystems, including those supporting mDLs, multiple credential types and trust frameworks coexist. Alternative models such as OpenID Federation offer dynamic metadata management and automated trust relationships, which may better align with modern requirements and platforms.

Cross Border Interoperability for Digital IDs

Cross border interoperability for digital IDs is essential for enabling seamless identity verification and trusted transactions across different countries and jurisdictions. Digital identity ecosystems often involve multiple issuers, verifiers, and trust frameworks, making interoperability a complex challenge.

Frameworks like VICAL (Verified Issuer Certificate Authority List) support interoperability by maintaining trusted lists of authorized issuers across regions. When multiple countries or states adopt the same or federated VICALs, verifiers can confidently validate mobile driver’s licenses (mDLs) or other digital credentials issued outside their jurisdiction, simplifying cross-border identity checks.

However, interoperability is not limited to VICAL. Emerging trust models such as OpenID Federation provide dynamic, API-driven mechanisms for sharing trust metadata and automating trust relationships in real-time. These approaches enable more flexible and scalable cross border interoperability for digital IDs, especially as ecosystems grow in complexity and diversity.

Achieving effective cross border interoperability requires alignment on standards, governance, and technical protocols. While frameworks like ETSI Trusted Lists (TLs) have been widely adopted in the European Union, other regions are exploring alternative or complementary models that better fit their regulatory and technical environments.

Ultimately, cross border interoperability for digital IDs is a critical enabler of global digital trust, facilitating secure and convenient access to services across borders.

Alignment with Other Trust Models

VICAL operates as a centralized trust anchor within national or regional contexts, supporting decentralized issuance of mobile documents (mDocs) and other mobile credentials. Unlike the ICAO Public Key Directory (PKD), which functions as a global trust anchor for e-passports, there is currently no single global VICAL for mobile driver’s licenses (mDLs).

For cross-border interoperability, it is practical to rely on VICALs maintained by individual countries or federations. This approach allows different regions to use formats and trust frameworks that best fit their regulatory and technical environments, while still enabling verifiers to trust credentials issued elsewhere through federated or coordinated trust models.

As a core component of national or regional Digital Trust Services, VICAL enables machine-verifiable trust at scale while reducing complexity for relying parties.

Open Book IconTABLE OF CONTENT