PKI (Public Key Infrastructure) is the fundamental technology behind ePassport. At the heart of this is the CSCA.
Each Country issuing an ePassport establishes a single CSCA as its national trust point. CSCA certificates are generated by the CSCA and are generally valid for periods of three to five years. As the anchor in the trust chain, CSCA certificates are often exchanged bilaterally to ensure maximum security and trust in the rest of the chain. However, CSCA certificates can also be obtained via Master Lists and validated by other means.
A DSC is a certificate that contains the information required to verify the digital signature on an ePassport. In contrast to CSCA certificates which remain relatively static due to the longer validity period, a large number of DSCs will be created over time. While there are no minimum or maximum periods prescribed in Doc 9303 with respect to validity periods, the commonly held best practice is for a validity period of no more than 3 months or for signing 100,000 travel documents, whichever is sooner. Border control systems would need to validate the DSC associated with an ePassport against the CSCA certificate for the issuing Country to confirm the ePassport is authentic and has not been tampered with.
CRLs are lists issued to revoke any of the Country’s DSCs or CSCAs that have been compromised. In addition, CRLs also serve to confirm that no such revocations exist for any of their certificates. CRLs must be issued at least every 90 days, even if no certificates have been revoked.
Netrust is one of the first countries in the whole to have implemented a fully ICAO compliant CSCA and ePassport Signing solution, in support of Singapore’s launch of the ICAO-compliant BioPass passports in 2006. Our solution comprises:
Contact Netrust for a discussion on your requirements.