SPOC (Single Point of Contact) is the entity that manages the data exchange between the EAC (Extended Access Control) PKIs of the different countries. This entity is the only point of contact for the following operations:
- Redirecting the certification requests of the foreign DVs to the national CVCA.
- Redirecting the certification responses of the national CVCA's to the foreign DVs.
- Redirecting the requests of the national DVs to the foreign CVCAs.
- Redirecting the certification responses of the foreign CVCAs to the national DVs.
- Exchanging notifications (e.g., suspension of the CVCA service, compromised DV keys).
For all these things, each SPOC provides a TLS-protected Web service interface.
This article outlines the KeyOne applications for implementing the SPOC and the EAC PKI. See the KeyOne eMRTD Solutions for a more detailed description of these applications.
In KeyOne's EAC PKI, the SPOC is implemented by KeyOne CVRA. This application also acts as the registration authority of the national CVCA. Thus, KeyOne CVRA takes care of:
- Registering the national DVs.
- Sending the certification requests of national and foreign DVs to the national CVCA.
- Sending the certification requests of national DVs to the foreign CVCAs.
- Sending the certificates issued by the national CVCA to the national and foreign DVs.
- Revoking national DVs.
A DVCA (Document Verifier Certification Authority) is a subordinate certification authority that issues CV certificates for the national ISs (Inspection System). To do this, each national DV is in turn certified by the following root authorities:
- The national CVCA.
- The CVCA of each country whose e-passports can be checked by the national ISs.
A country's CVCA (Country Verifying Certification Authority) is the root certification authority that issues CV certificates for the national and foreign DVs. Each national CVCA issues the CV certificates of the following DVs:
- The national DVs.
- The DVs of foreign countries authorized to check the national e-passports.
As there is no mechanism for revoking the CV certificates, these certificates are issued with very short validity periods that need to be renewed frequently. In KeyOne's EAC PKI, the renewal of CV certificates and keys is scheduled automatically.