Home About VDS Trust Members Blog

ISO Standards for Digital Document Security: A Guide to ISO 22385

Standards are the invisible infrastructure of trust. When a border agent verifies a passport, when a pharmacist checks a medicine's authenticity, or when a consumer scans a product label, international standards make that verification possible — and reliable. For Visible Digital Seals (VDS), that foundation is built on ISO 22385 and related ICAO specifications.

The Standards Landscape

ICAO Doc 9303 — Where It All Began

The International Civil Aviation Organization (ICAO) pioneered the concept of machine-readable travel documents (MRTDs) decades ago. In its Doc 9303 series, ICAO defined the VDS format specifically for travel and identity documents:

  • VDS for travel documents — A signed DataMatrix barcode on visa stickers, emergency travel documents, and supplementary identity documents.
  • VDS-NC (Non-Constrained) — A format designed specifically for use cases beyond travel documents (health certificates, professional credentials, etc.), with no constraint on payload size and a flexible data schema.

ISO 22385 / ISO 22376 — Expanding the Scope

The ISO 22381 family of standards (ISO 22376 and ISO 22385) generalises VDS technology for broader applications:

  • ISO 22385 / ISO 22376 — ISO 22376 defines the general framework and data structure for VDS authentication of goods and documents; ISO 22385 specifies the technical implementation requirements (encoding, cryptography, trust lists) developed in close collaboration with VDSIC.
  • It defines how data fields are organised, which signature algorithms are supported, and how certificate chains should be managed.

ISO 17712 and ISO 28000 — Supply Chain Context

In supply-chain contexts, VDS technology is complementary to existing standards for container seals (ISO 17712) and supply-chain security management (ISO 28000), though direct normative alignment between these standards and VDS specifications is still evolving.

Why Standards Matter

Interoperability

A VDS issued by a French authority must be verifiable by a Japanese border control system. Standards ensure that the data format, signature algorithms, and certificate management are universally understood.

Trust

Standards define certificate hierarchies — who is authorised to issue seals, how their keys are managed, and how revocation works. Without this governance, anyone could claim to be a legitimate issuer.

Longevity

By specifying precise technical requirements, standards protect against obsolescence. A VDS printed today will remain verifiable for years, because the verification logic is defined in a stable, publicly available document.

Legal Admissibility

In many jurisdictions, adherence to recognised international standards is a prerequisite for legal admissibility of digital evidence. A VDS verified according to ISO 22381 carries more weight than a proprietary solution.

Key Technical Requirements

The standards define several critical elements:

Element

Specification

Barcode format

DataMatrix (ECC 200), QR Code, NFC, URL (VDS is carrier-agnostic)

Signature algorithm

ECDSA with P-256 or higher curves

Certificate format

X.509 v3

Data encoding

MessagePack (binary serialisation format used for VDS payload encoding)

Compression

Optional zlib compression for large payloads

These choices balance security strength with the practical constraints of printing and scanning barcodes on physical media.

The Role of VDSIC in Standardisation

VDSIC actively participates in the development and promotion of VDS standards through:

  • Technical committee contributions — VDSIC members contribute to ISO and ICAO working groups.
  • Interoperability testing — VDSIC organises plugfests and conformance testing events where implementers verify that their systems correctly generate and verify VDS.
  • Reference implementations — Tools like the Otentik Codes Reader serve as reference verification applications, ensuring that the standards are implemented correctly.
  • Education and outreach — VDSIC publishes guidance documents and organises workshops to help governments and industries adopt VDS.

Looking Ahead

As digital threats evolve, so do the standards. Current work includes:

  • Post-quantum cryptography — Preparing VDS for the era of quantum computing by evaluating quantum-resistant signature algorithms.
  • Extended data profiles — New data schemas for additional use cases such as academic credentials, environmental certificates, and digital product passports.
  • Enhanced privacy — Selective disclosure mechanisms that allow a VDS to reveal only the information needed for a specific verification context.