For an inspection system in a receiving State to conduct ePassport validation, the inspection system must have access to certain information from the State that issued the travel document:
Country Signing Certification Authority (CSCA) certificates,
Document Signer Certificate (DSC) and
Certificate Revocation Lists (CRLs) .
Most States will use a combination of bilateral exchange and information downloaded from the ICAO PKD to access the information that they need.
Download from the ICAO PKD
The ICAO PKD contains the DSCs and CRLs of PKD Participants who are actively uploading.
Click here to see a list of participants. While CSCA certificates are not individually stored on the ICAO PKD, many CSCA certificates are available on
Master Lists published on the ICAO PKD by PKD Participants
Information from the ICAO PKD can be obtained for free, or via membership.
Free: All information stored on the ICAO PKD is freely available online to any person or State who wishes to download it. However, the process of downloading is manual and cannot be automated.
Membership: States that join the ICAO PKD have more advanced download options than those who access the information freely on the internet, including the ability to set-up automated downloads.
The membership fees for participating in the ICAO PKD have dropped considerably over time. As more States join the ICAO PKD, the fees decrease. Contact us for more information on how to join and current fees.
As demonstrated in the simple graphic below, downloading certificates from the ICAO PKD is more efficient than bilateral exchange.
| |
Option 2: Bilateral Exchange
States can also exchange information on a bilateral basis. The specific mechanism used for that bilateral exchange may vary depending on the policies of each issuing State or organization that has a need to distribute its certificates, CRLs and Master Lists, as well as the policies of each receiving State that needs to access those objects. Some examples of mechanisms that may be used in bilateral exchange include:
- diplomatic courier/pouch;
- email exchange;
- download from a website associated with the issuing CSCA; and
- download from an LDAP server associated with the issuing CSCA.
This is not an exhaustive list and other mechanisms or technologies may also be used. Receiving States can review the Certificate Policy of an Issuing State to assess whether or not to trust their certificates.
As explained on earlier pages, the CSCA Certificate forms the basis of the trust chain for an ePassport. You must check DS Certificates against the CSCA Certificate before you can trust them. Therefore, it is very important to validate CSCA Certificates that your State collects for ePassport validation.