Country Signing Certificate Authority
Country Signing Certificate Authority (CSCA)
PKI (Public Key Infrastructure) is the fundamental technology behind ePassport. At the heart of this is the CSCA.
Every Country that is issuing ePassports would need to establish a CSCA as its national trust point. CSCA certificates are generated by the CSCA and are generally valid for periods of three to five years. As the anchor in the trust chain, CSCA certificates are often exchanged bilaterally to ensure maximum security and trust in the rest of the chain. However, CSCA certificates can also be obtained via Master Lists and validated by other means.
Document Signer Certificate (DSC)
A DSC is a certificate that contains the information required to verify the digital signature on an ePassport. In contrast to CSCA certificates which remain relatively static due to the longer validity period, a large number of DSCs will be created over time. While there are no minimum or maximum periods prescribed in Doc 9303 with respect to validity periods, the commonly‑held best practice is for a validity period of no more than 3 months or for signing 100,000 travel documents, whichever is sooner. Border control systems would need to validate the DSC associated with an ePassport against the CSCA certificate for the issuing Country to confirm the ePassport is authentic and has not been tampered with.
Certificate Revocation List (CRL)
CRLs are issued to reflect the revocation status of the Country’s DSCs or CSCAs that have been compromised. In addition, CRLs also serve to confirm that no such revocations exist for any of their certificates. CRLs must be issued at least every 90 days, even if no certificates have been revoked.
Netrust is one of the first countries in the world to have implemented a fully ICAO compliant CSCA and ePassport Signing solution, in support of Singapore’s launch of the ICAO-compliant BioPass passports in 2006. Our solution comprises:
- A secure offline Country Signing CA.
- Secure DSC generation and import into ePassport personalisation facilities.
- ePassport Signing Modules and integration with passport personalisation machines.
- Integration with ICAO PKD for the periodic upload of DSCs and CRLs.
- Creation of Country Master List.
for a discussion on your requirements.