Electronic Passports: Underlying Trust Infrastructures
21 December, 2009
category: Contactless, Government, NFC
By Sharon Boeyen, Principal, Advanced Security at Entrust
Although the rate of deployment of electronic passports is rapidly increasing, the trust infrastructure underpinning ePassport security features is relatively immature.
Basic access control requires a PKI infrastructure for X.509 certificates and certificate revocation lists, while extended access control requires an infrastructure for ISO 7816 card-verifiable certificates. International Civil Aviation Organization and European Union standards provide mechanisms for international exchange of public-key certificates and revocation lists, but standards to address the needs of an accepting country’s internal infrastructure do not yet exist.
Built on trust
A national trust infrastructure must ensure that inspection systems validating ePassports are configured with all the data they need to perform both basic access control and extended access control. These include certificate signing, certificate authority root certificates, and document signer certificates. It also includes revocation lists from the country’s own X.509 basic access control infrastructure as well as the lists from other issuing countries. But that’s not all, certificate verifying certificate authorities, document verifier certificates and inspection system certificates from a country’s own and other issuing countries’ ISO 7816 extended access control infrastructures also need to be included.
Internationally, certificate signing authority certificates are exchanged out-of-band and document signer certificates and certificate revocation lists are exchanged through a centralized public key directory. In contrast, certificate verifying authorities and document verifier certificates are exchanged between single points of contact using an associated certificate management protocol. Communication between points of contact, certificate verifying authorities and document verifiers have not yet been standardized. Inspection system certificates also are not exchanged internationally.
National Trust Infrastructure
A national trust infrastructure needs to satisfy a number of organizational, security and interoperability requirements. Although there hasn’t been enough experience yet to enable the identification of common practices and requirements, these issues do need to be addressed in the near future.
In a typical deployment, each country relies on separate organizations that are responsible for passport issuance and border control. The passport issuance organization typically publishes national data to the public key directory and exchanges signed certificates with other issuing countries. However, it is the inspection systems in the border control organization that need to retrieve the signed certificates, document signing certificates and revocation lists from the public key directory.
Security requirements include the authorization and management of domestic and foreign document verifiers and domestic inspection systems. It is also necessary to secure the distribution of the signed certificates to the inspection systems, controlling the access of domestic document verifiers to foreign certificate verifiers through the single points of contact. While some of these requirements have natural “owners”–for example document verifiers authorizing and managing inspection systems–others do not.
In a basic access control-only environment, which entity is responsible for populating inspection systems with secure copies of certificates?
How do single-points of contact know that the current set of domestic document verifiers are authorized by the domestic certificate verifying authority?
It may be appropriate to centralize some aspects of trust management for a national trust infrastructure in a trust manager function that could be co-located with an entity, such as a document verifier, or operate as a standalone function in a basic access control-only environment.
From an interoperability perspective, standards do not yet exist for communication interfaces between inspection systems and document verifiers, document verifiers and single points of contact, document verifiers and certificate verifying certificate authorities and those authorities and singe points of contact within a country.
The specific requirements of each interface–including technical, security, efficiency and reliability–need to be carefully assessed in conjunction with a given country’s organizational structure and the relationships between passport issuance and validation organizations.
As national trust infrastructures begin to emerge, common requirements will likely lead to the development of standard APIs and/or protocols for in-country communication among these entities.
With increasing adoption of extended access control, the need for an integrated and automated national trust infrastructure to support both passport extended and basic access control systems will become critical. The infrastructure must be capable of addressing the organizational, security and interoperability issues while enabling effective and efficient product interoperability and ePassport validation. Standards will eventually emerge in this area. When they do, they must be sufficiently flexible to accommodate a broad range of differing national requirements.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of December, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews.com, ContactlessNews.com,CR80News.com, RFIDNews.org, FIPS201.com, NFCNews.com, ThirdFactor.com, and DigitalIDNews.com.