|
Single Point Of Contact(1) (SPOC) is the entity managing the data exchange among the EAC PKI of the participating countries. The SPOC responsabilities are forwarding the requests form the national EAC PKI to the foreign SPOC, receive the foreign SPOC requests and forward them to the national EAC PKI and then send the corresponding responses to the foreign SPOC.
The objective of Extended Access Control is protecting the authenticity, originality, and confidentiality of the biometric data stored on ePassport (Machine Readable Travel Document) chips. This is done by adding to the ePassport chip the capability of authenticating (national and foreign) inspection systems (IS) that want to access the data in the chip. Each inspection system is provided with card-verifiable (CV) digital certificates for this purpose.
Each country manages one Country Verifying Certification Authority (CVCA) that issues CV digital certificates to national and foreign Document Verifiers (DV). The CVCA typically delegates registration responsibilities to an associated Registration Authority (the CVRA).
In turn, each national DV acts as a subordinate Certification Authority that issues CV digital certificates to national inspection systems (IS). IS are the end-entities of the PKI, and hold certified keys for authenticating with ePassport chips.
A DV must be certified by both (a) the national CVCA, and (b) the foreign CVCAs of all countries whose ePassports wishes to inspect via the inspection systems in its domain. When issuing a CV digital certificate to a DV, the CVCA of country "X" may grant the DV access rights to sensitive information stored in the ePassports of citizens of country "X" (these access rights are included in the CV digital certificate).
The DV, in turn, must issue digital certificates to all its IS for each country (possibly further restricting the access rights). Thus, a national IS obtains from DV a digital certificate for each digital certificate hierarchy of the different CVCA. Every DV and IS needs to hold multiple certified key pairs, one per State.
To read the ePassport of a citizen of country "X", an IS must authenticate against the chip by presenting its CV digital certificate for country "X" CVCA digital certificate hierarchy, plus the corresponding digital certificate chain. The chip validates the IS certificate and grants the IS access rights to sensitive data according to the information in the digital certificate. The chip is capable of validating the digital certificate chain because it knows the public key of the country "X" CVCA (this public key was inserted in the chip at the ePassport personalization phase).
Because there is no digital certificate revocation mechanism, validity periods of DV and IS digital certificates are kept very short (see CCP(3) for the allowed minimum and maximum validity periods for each PKI participant). An automatic re-keying capability is therefore very desirable in DVs and inspection systems.
Every country communicates with the rest of the countries through a Single Point of Contact (2)(SPOC). The SPOC acts as a web service interface for automated operations (DV certification) and for notifications (CVCA service suspension, DV key compromise, etc.). The communication is transport-secured via SSL/TLS.
KeyOne CVRA implements both the Registration Authority associated to the national CVCA, and acts as the country ’s Single Point of Contact (SPOC) as well. The functions of KeyOne CVRA are:
- Enrolling DVs allowed to apply for certificates to the (national) CVCA
- Registering and approving DV certificate requests
- Automatic certification of national DVs
- Implementing the national SPOC web service interface
- Packing DV certificate requests to be processed by the national CVCA
- Revoking registered DVs and issued DV certificates
For more information see “KeyOne e-Passport EAC PKI Whitepaper”
(1) “Country Verifying Certification Authority Key Managment Protocol for SPOC”, version 1.0.
(2) SPOC concept and the related interfaces under discussion by the Brussels Interoperability Group (BIG)
(3) "Common Certificate Policy For The Extended Access Control Infrastructure For Passports And Travel Documents Issued By EU Member States", version 1.0 (March 2008), European Commission
|
