Certificate Authority – ePassport/Border Control

Country Signing Certificate Authority (CSCA)

PKI (Public Key Infrastructure) is the fundamental technology behind ePassport. At the heart of this is the CSCA.
image

image

CSCA Certificate

Every Country that is issuing ePassports would need to establish a CSCA as its national trust point. CSCA certificates are generated by the CSCA and are generally valid for periods of three to five years. As the anchor in the trust chain, CSCA certificates are often exchanged bilaterally to ensure maximum security and trust in the rest of the chain. However, CSCA certificates can also be obtained via Master Lists and validated by other means.
image

Document Signer Certificate (DSC)

A DSC is a certificate that contains the information required to verify the digital signature on an ePassport. In contrast to CSCA certificates which remain relatively static due to the longer validity period a large number of DSCs will be created over time. While there are no minimum or maximum periods prescribed in Doc 9303 with respect to validity periods, the commonly‑held best practice is for a validity period of no more than 3 months or for signing 100,000 travel documents, whichever is sooner. Border control systems would need to validate the DSC associated with an ePassport against the CSCA certificate for the issuing Country to confirm the ePassport is authentic and has not been tampered with.

Certificate Revocation List (CRL)

CRLs are issued to reflect the revocation status of the Country’s DSCs or CSCAs that have been compromised. In addition, CRLs also serve to confirm that no such revocations exist for any of their certificates. CRLs must be issued at least every 90 days, even if no certificates have been revoked.​
image

Border Control – ePassport Validation Solution

ePassports are the most secure of travel documents. But without proper validation of the contents of the chip in an ePassport, the advantages of this increased security are not realised. Improper validation of ePassports leads to a “false” sense of security.
The challenges to proper validation of the chip include:
  • Distributing your Country credentials to others through the ICAO PKD.
  • Sourcing of CSCA/DSC/CRL from multiple countries and downloading from the ICAO PKD.
  • Ensuring proper due diligence before using the ICAO PKD certificates and other sourced data.
  • Secure distribution to all validation points (border control).
  • Hiding the complexity of the ePassport validation process from the border control Immigration Officer and presenting the results in an easy to understand format.
  • Management of central Validation policies that can be pushed to the validation points.
  • Understanding the complexity, and the state of affairs and level of compliance (or non-compliance) of the actual ePassports in circulation.
image

Our Solution

Netrust is one of the first countries in the world to have implemented a fully ICAO compliant CSCA and ePassport Signing solution, in support of Singapore’s launch of the ICAO-compliant BioPass passports in 2006.
With Netrust’s experience in implementing the ePassport Validation Solution in Singapore, Netrust can offer the consulting and provide the well tested solutions for integration in any country’s Border Control system. Our solution is modular and comprises the following:

Our solution is modular and comprises the following:

  • A secure offline Country Signing CA.
  • Secure DSC generation and import into ePassport personalisation facilities.
  • ePassport Signing Modules and integration with passport personalisation machines.
  • Integration with ICAO PKD for the periodic upload of DSCs and CRLs
  • Creation of Country Master List.
  • ICAO PKD Upload Module.
  • ICAO PKD Download Module.
  • Country PKD.
  • Centrally Managed ePassport Validation Modules.

Contact Us: General enquiries or free consultation

We’re really grateful for giving us a chance to connect with you. Please do not hesitate to ask us anything and we will respond to you asap.

image

    You have read, understood and agree to be bound by the Netrust's Personal Data Protection Policy as may be amended from time to time and agree that we may collect, use and disclose your personal data as provided in this form for the purposes set out in the Personal Data Protection Policy. Where you are providing us with personal data of another individual, you warrant that you are authorised to consent to the Data Protection Policy and provide us with such personal data on his/her behalf.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.