Where Can Businesses Find the Necessary Certificates for ePassport Verification?

A certificate is a public key from an asymmetric key pair and its metadata: who made it, who signed it, how long it will be valid, the origin, and so on. Any certificate consists of metadata, a key, and a signature so that it can be verified.

A certificate is required to verify electronic documents, and enables secure authentication and integrity checks. The standard pipeline for authentication of data encoded in a chip includes two certificate types:

• Document Signer (DS) certificate—Used for digitally signing the data files the personalized document contains. A DS certificate is required to verify the digital signature on an eMRTD. The document signature is an encrypted hash of data that can only be decrypted with a public key.
• Country Signing Certificate Authority (CSCA) certificate—Used to sign all DS certificates in the country for specific needs. CSCA certificates are the root of trust certificates in the chain of trust for electronic document signature processes.

When issuing an electronic document, the CSCA private key digitally signs the DS Certificate. The DS private key digitally signs the document’s Document Security Object (SOD). Together, these signatures create a chain of trust. 

To fully trust an electronic document, say an ePassport, and confirm the authenticity of the entire process, you need to retrieve the Document Security Object from the chip and verify the signature against the DS certificate, and the DS certificate signature against the CSCA certificate provided by the particular country's issuing authority.

For convenience, all available certificates are usually grouped into several lists. Here are the most important ones:

• Master list—A compilation of the CSCA certificates that are considered trustworthy by the entity that issued the list, as it is digitally signed by an issuing party. The entity that provides the Master list should also be considered trustworthy.

• Certificate Revocation List (CRL)—A file that lists which certificates were revoked by issuing authority for any reason and are no longer trusted, as they are compromised, expired, etc. Simply put, if you take all available certificates and then subtract the relevant CRLs from them, you’ll get the current list that can be used for document verification.

The process of verifying the chip data, including its authenticity and integrity, is called Passive Authentication. It’s done by verifying the digital signature on the document using the public keys of the issuing state. Actually, that’s what access to the corresponding DS and CSCA certificates is needed for. 

According to the BSI Technical Guideline, the process of passive authentication includes four steps: 

1. Read the Document Security Object from the document chip. This is a file that stores hash values of all files stored in the chip (picture, fingerprint, etc.) and a digital signature of these hashes.

2. Retrieve the corresponding DS, CSCA Certificates, and the corresponding Certificate Revocation List. 

3. Verify the DS Certificate and the signature of the Document Security Object. 

4. Compute hash values of read data groups and compare them to the hash values in the Document Security Object.

There are several ways to obtain the necessary certificates for electronic document verification. Below, we’ll cover all of them, but whether any particular one is sufficient for passing particular certifications is left to your discretion.

The ICAO PKD is a central repository for the global exchange of the information required to authenticate eMRTDs, such as ePassports and electronic ID cards. Given the internationally recognized authority of the ICAO organization and the transparency of the sources, this is the most trustworthy centralized hub for obtaining certificates. 

Initially, the service was intended for the Aviation industry. The idea was to create a single trusted database where countries issuing electronic documents would share the certificates so other countries could easily verify them.

As of now, the ICAO PKD database has certificates from 95 states/entities, and the ICAO is working to get certificates from as many countries as possible. Despite the efforts, not every country is a PKD member. For instance, Portugal is not yet on the list.

To get a better idea of what the ICAO PKD is, access the repository by simply reading its Terms and Conditions and entering the CAPTCHA code. As you’ll see, it contains everything in terms of certificates:

• Country Signing Certification Authority (CSCA) certificates  

• Document Signer Certificate (DSC) 

• Certificate Revocation Lists (CRLs) that notify of any revocations of any of the above

Let’s quickly guide you through the assets present in the repository. The latest lists include:

• Serial number 1 is a collection of everything EXCEPT the CSCAs. You can use anything in here to verify the signature on the document and confirm a lack of revocation of any of the Signer keys.

• Serial number 2 is the CSCAs compiled in master lists. There is a collection of Master Lists, because the ICAO produces and issues its own (it is uploaded under the UN in the PKD), and other countries can also upload their own Master Lists to share which CSCAs they trust.

• Serial number 3 contains the same data as serial number 1 (i.e., everything except the CSCAs) except the data that is not conformant. Important note: this data is no longer supported by the ICAO as an individual dataset. Now, everything goes into pot 1, so pot 3 can now be ignored.

Delta files are issued periodically to demonstrate updates for pots 1 and 2. If you have a database populated with items under pot 1, then you can use the delta to download only new items, so as to avoid having to download everything repeatedly. You have a choice: download the full pot 1 and pot 2 regularly, or download them once and then use deltas to update them each time a new delta is issued.

Here’s the tricky part. In general, access to the PKD is open, so you can access the current certificate lists at any moment and download them to your computer. 

However, the Terms and Conditions explicitly state that you can not use this access for commercial purposes. In fact, this open resource serves testing and trial purposes, but cannot be used in any product/service of a commercial nature. You cannot use any means of automation to scrape or parse these files either. 

While the ICAO announced a pilot project that allows the use of the PKD in commercial settings, it is restricted to the Travel industry for now.

This is the option for large-scale businesses that operate in highly regulated industries such as Banking and Finance. 

If you need to have access to the ICAO PKD to pass official certifications and use it for document verification processes at scale, there’s no other workaround but to enlist the support of your national authorities that issue identity documents, and who might be PKD members. Since the ICAO doesn’t restrict what a government authority might do with PKD data, such an authority might agree to provide you with data under that membership process.

As an alternative to the ICAO PKD, there’s a German organization called the Federal Office for Information Security(BSI), which provides a CSCA master list. The current BSI master list contains over 500 CSCA certificates and CSCA link certificates from 107 countries. Commercial use may be permitted as long as it isn’t used for advertising or creates the appearance of cooperation with the BSI. 

As always, however, there’s one “but”:

Although the BSI is a well-known trusted organization, one peculiarity of using their master list is that its management and maintenance are less transparent compared to the ICAO PKD. The organization doesn’t disclose their sources, nor can you find a change log of the master list to get an idea of how often it’s updated. For some companies, that might prevent them from using the data in their procedures. For example, if you use the BSI master list, you won't be compliant with the ETSI requirements for qualified electronic signatures (QES).

In this case, you need to individually apply to each country’s authorities for current certificates and wait till they send you a file with a certificate via diplomatic channels. Although this method isn’t impossible, it’s only feasible for a small number of organizations.

However, there’s an easier approach: many countries provide their CSCA certificates for public access. For example:

• Switzerland 

• Australia

• Italy

• Bulgaria

• Czechia

• Denmark

• Estonia

• Finland

• Norway

If your company operates worldwide, manually scraping information from various countries’ passport office sites might not be the most convenient option. But if you target just one country and it provides its CSCA to the public, that might not be a big issue.

Regula Document Reader SDK supports authentication of electronic documents using CSCA and DS certificates, be they from the ICAO PKD or other trusted sources. With Regula's cutting-edge solutions, businesses can establish fully remote workflows that not only comply with the ETSI and eIDAS standards, but also pave the way for a revolutionary customer onboarding experience.

If you’re looking to achieve a significant upgrade in how you verify your customers, reach out to the Regula team, and we’ll be more than happy to assist you with this important task.