This article describes the main purposes of a National PKD within an ePassport PKI and introduces the KeyOne National PKD solution.
What is a national PKD?
To validate the e-passports of a state (e.g., state S) using passive authentication, each Inspection System needs the following material:
- The certificate used by the DS (Document Signer) of state S for signing the e-passport.
- The certificate used by the CSCA (Country Signing Certification Authority) of state S for issuing the Document Signer's certificate.
- The last CRL issued by the CSCA of state S.
The PKD (Public Key Directory) of the ICAO distributes the cryptographic material to the e-passport PKIs. This entity does not, however, publish the certificates and CRLs of all states. It would also not be very efficient for it to attend directly to requests from all the Inspection Systems.
It is preferable to deploy a National PKD in each state that provides certificates and CRLs to the national Inspection Systems. These certificates and CRLs are obtained from both the ICAO's PKD and via out-of-band communication (e.g., diplomatic exchange, direct communication with the national CSCA).
KeyOne National PKD
The KeyOne National PKD application acts as a broker between the ICAO's and the national PKDs. As you will see in the following sections, this is the best solution for distributing trust material to the national Inspection Systems.
Obtaining Certificates and CRLs
KeyOne National PKD automatically updates the certificates and CRLs required to validate e-passports. KeyOne National PKD obtains this material from the following sources:
- Foreign DS certificates, CRLs and Master Lists are downloaded from the ICAO's PKD.
- National CSCA and DS certificates and CRLs are obtained from the national CSCA.
- Foreign CSCA and DS certificates, CRLs and Master Lists are obtained via out-of-band communication.
Publication of Certificates and CRLs
In the national PKD, KeyOne National PKD only publishes approved certificates and CRLs. CSCA certificates can be manually or automatically approved.
- Where there is no prior link CSCA certificate available, an operator with the Registration Approver role explicitly approves the new CSCA certificate obtained. To facilitate this decision, KeyOne National PKD displays the Master Lists that include this CSCA certificate.
- Where there is a link CSCA certificate signed by an approved CSCA certificate available, both the link and the self-signed certificates associated to the CSCA are automatically approved by KeyOne National PKD.
DS certificates and CRLs signed by an approved CSCA certificate are automatically approved by KeyOne National PKD.
Integration with Inspection Systems
Although the Inspection Systems can access the national PKD to obtain the certificates and CRLs, KeyOne National PKD also provides a Web service for distributing this material.
The Inspection Systems can use this service to access the cryptographic material without requiring LDAP clients or Active Directory.
Via the REST/JSON and SOAP/XML interfaces of this service, the Inspection Systems can obtain the data required to validate both national and foreign e-passports.