Certificate Authority – ePassport/Border Control
Country Signing Certificate Authority (CSCA)
PKI (Public Key Infrastructure) is the fundamental technology behind ePassport. At the heart of this is the CSCA.
Every Country that is issuing ePassports would need to establish a CSCA as its national trust point. CSCA certificates are generated by the CSCA and are generally valid for periods of three to five years. As the anchor in the trust chain, CSCA certificates are often exchanged bilaterally to ensure maximum security and trust in the rest of the chain. However, CSCA certificates can also be obtained via Master Lists and validated by other means.
Document Signer Certificate (DSC)
A DSC is a certificate that contains the information required to verify the digital signature on an ePassport. In contrast to CSCA certificates which remain relatively static due to the longer validity period a large number of DSCs will be created over time. While there are no minimum or maximum periods prescribed in Doc 9303 with respect to validity periods, the commonly‑held best practice is for a validity period of no more than 3 months or for signing 100,000 travel documents, whichever is sooner. Border control systems would need to validate the DSC associated with an ePassport against the CSCA certificate for the issuing Country to confirm the ePassport is authentic and has not been tampered with.
Certificate Revocation List (CRL)
CRLs are issued to reflect the revocation status of the Country’s DSCs or CSCAs that have been compromised. In addition, CRLs also serve to confirm that no such revocations exist for any of their certificates. CRLs must be issued at least every 90 days, even if no certificates have been revoked.
Border Control – ePassport Validation Solution
ePassports are the most secure of travel documents. But without proper validation of the contents of the chip in an ePassport, the advantages of this increased security are not realised. Improper validation of ePassports leads to a “false” sense of security.
The challenges to proper validation of the chip include:
- Distributing your Country credentials to others through the ICAO PKD.
- Sourcing of CSCA/DSC/CRL from multiple countries and downloading from the ICAO PKD.
- Ensuring proper due diligence before using the ICAO PKD certificates and other sourced data.
- Secure distribution to all validation points (border control).
- Hiding the complexity of the ePassport validation process from the border control Immigration Officer and presenting the results in an easy to understand format.
- Management of central Validation policies that can be pushed to the validation points.
- Understanding the complexity, and the state of affairs and level of compliance (or non-compliance) of the actual ePassports in circulation.
Netrust is one of the first countries in the world to have implemented a fully ICAO compliant CSCA and ePassport Signing solution, in support of Singapore’s launch of the ICAO-compliant BioPass passports in 2006.
With Netrust’s experience in implementing the ePassport Validation Solution in Singapore, Netrust can offer the consulting and provide the well tested solutions for integration in any country’s Border Control system. Our solution is modular and comprises the following:
Our solution is modular and comprises the following:
- A secure offline Country Signing CA.
- Secure DSC generation and import into ePassport personalisation facilities.
- ePassport Signing Modules and integration with passport personalisation machines.
- Integration with ICAO PKD for the periodic upload of DSCs and CRLs
- Creation of Country Master List.
- ICAO PKD Upload Module.
- ICAO PKD Download Module.
- Country PKD.
- Centrally Managed ePassport Validation Modules.