VDS Issuance

VDS issuance is handled by the BioSeal Issuance Service from id3 Technologies — a managed platform that generates cryptographically signed Visible Digital Seals from government-issued documents.

Issuance stations never call BioSeal directly

Every issuance request goes through the IDToken Auth Server, which verifies the cryptographic proof from the passport chip (ICAO SOD + Active Authentication) before forwarding to BioSeal. BioSeal is an internal-only service with credentials held exclusively by the IDToken server. See Issuance Integrity for details.

What is a VDS?

A Visible Digital Seal (ISO 22376) is a compact, cryptographically signed digital credential derived from a government document. It carries identity data, a biometric photo, and an ECDSA signature — all in a format compact enough to fit in a QR code. See The VDS Credential for the full specification.

Issuance Flow

BioSeal Issuance Service

BioSeal provides:

Capability	Description
VDS construction	Payload encoding (MessagePack), header assembly, manifest compliance
HSM-backed signing	ECDSA P-256 signatures via HSM (PKCS#11), key lifecycle management
Encoding & output	Base45/Base64 encoding, QR/Aztec code generation
Certificate management	Signing certificate provisioning, rotation, and revocation
Audit trail	Issuance logs (tokenId, timestamp, operator, certificate used)

BioSeal is an internal-only service — its API is not publicly exposed. Only the IDToken Auth Server holds BioSeal credentials, and all issuance requests must pass through the server’s document origin verification before BioSeal signs.

VDS Payload

The IDToken VDS carries two types of biometric data:

Field	Format	Purpose	Size
photo	WEBP lossy (200x200px)	Visual display of the holder’s face	~900 bytes
face	id3 face template (FormatOwner 003F)	1:1 biometric matching by the mobile app	140 bytes (fixed)

The photo is shown on the IDToken card and consent screens. The face template is a mathematical representation of facial features used for matching — it is never displayed (Visibility: NEVER).

Full Payload Fields

Field	Key	Type	Description
Given name	gn	String	First name (max 39 chars)
Family name	fn	String	Last name (max 39 chars)
Date of birth	dob	Date	ISO format
Nationality	nat	String	3-letter ISO code (C40 encoded)
Document number	doc	String	Passport/ID number
Token ID	tid	String	UUID (unique per VDS)
Expiry	exp	Timestamp	Issuance + 2 years
Photo	photo	Binary	Portrait image (WEBP)
Face template	face	Binary	id3 format, 140 bytes fixed

Trust Levels

The trust level assigned to each VDS depends on the issuance method:

Level	Issuance Method	Assurance	eIDAS Equivalent
1 — Self-issued	Selfie + document photo (no NFC)	Low	—
2 — Operator-verified	NFC read + operator present	Substantial	eIDAS Substantial
3 — NFC + AA + biometric	NFC with Active Authentication + 1:1 match	High	eIDAS High

The trust level is stored in the VDS and propagated as a JWT claim after authentication. Relying parties can require a minimum trust level.

VDS Binary Layout

PREFIX  (not encoded — ISO/IEC 15459-2)
  IAC = "VDS"   (Otentik Scheme Operator)
  CIN = "EU"    (id3 Technologies)
  DCI = "A"     (IDToken data construct)

HEADER  (18-21 bytes — signed)
  Marker:         0xDE
  Version:        3
  IAC (C40):      "VDS"
  Cert reference: CA ref + cert ID
  Manifest ID:    0x0A0001
  Timestamp:      Unix epoch UTC
  Payload length: variable

PAYLOAD  (MessagePack encoded — signed)
  gn, fn, dob, nat, doc, tid, exp, photo, face

SIGNATURE  (64 bytes — ECDSA P-256, raw r|s)
  signed_data = SHA-256(header || SHA-256(payload))