MRTD - Basic Access Control (BAC)

As defined by ICAO, Basic Access Control (BAC) allows a reader to read the basic data contained in the RFID chip of an ePassport (name, passport number, photograph, etc) to guard against fraud by physically altering the passport. To verify the validity of the data on the chip it also contains a digital signature issued by a Document Signer (for example PrimeKey SignServer), whose certificate is issued by a Country Signing Certificate Authority (CSCA) hosted by the issuing country. The CSCA and Document Signer certificates are basic X509 certificates, and the public key lists required to verify can either be physically exchanged or downloaded from a central master list, while a National Public Key Directory (NPKD) allows for the easy exchange of keys and CRLs. As part of the complete solution, PrimeKey also offers an NPKD implementation, designed to manage certificates for ePassports in compliance with International Civil Aviation Organization ( ICAO ) standards.

Extended Access Control (EAC)

An extension of BAC, Extended Access Control also allows the passport to store biometric data such as fingerprints and iris/retinal scans. In order for partnering countries to authorize and control access to this data, each country needs to establish a CVC CA, that in contrary to the CSCA is based on the Card Verifiable Certificate (CVC) standard. To enable access, each country then needs to create a Document Verifier CA (DVCA), which is a Sub CA signed by the partnering country's CVCA. The DVCA can then issue certificates to Inspection Systems (IS) which are in turn authorized to read the protected fields in the ePassport's RFID chip. To facilitate the creation of Inspection Systems between countries, a Single Point of Contact (SPOC) is used.

Set up CSCA

A CSCA is a fairly standard X509 Root CA.

→ How to create a CSCA

Set up Certificate Profiles

Certificate Profiles for passport signers are issued by the CSCA.

→ How to set up a Certificate Profile for a Passport Signer

Create CVC CA

A CVC CA is created to act as a BAC/EAC CA.

→ How to create a CVC CA

Create Document Verifier CA

The DVCA is a Sub CA to the CVC CA and can either be created in your own PKI or imported from the associated country's PKI.

→ How to create a DV CA and enroll an Inspection System (IS)

Solution Areas

• Page:Deploying PKI and Signature Services in DevOps Environments

• Page:IoT and Device Identities

• Page:Using EJBCA as a Large-scale Enterprise PKI

• Page:Hybrid PKI Deployment for Modern Manufacturers

• Page:PKI and Signature Services for Microservices and DevOps Environments

• Page:PKI for 3GPP

• Page:Post-Quantum Readiness

• Page:Issuing TLS Certificates

• Page:Securing Your Microsoft Environment with EJBCA