To ensure that there is not an unnecessarily high through-put to secondary inspection, the inspection system must be designed to support the specific needs of the Receiving State. This will require the consideration of many factors to develop appropriate system requirements and operational procedures.
Mixed Document Types
At this time, there are many States that have begun issuing ePassports, but still have many valid non-electronic passports in circulation. The system should be programmed on a state-by-state basis. When the MRZ is read by the inspection system, it will be able to determine the Issuing State from the MRZ.
For States that have not begun issuing ePassports, the system can be programmed to not attempt any chip-related authentications and to display the result Not an ePassport.
For States that only have ePassports in circulation, the system can be programmed to attempt all relevant chip authentications (e.g. not all States protect their chips using Active Authentication) and display a result indicating either Authentication Successful or Authentication Failed.
For States that have both non-electronic and electronic passports in circulation, the system must attempt to read the chip as there is no indication in the MRZ or VIZ regarding whether the document contains a chip. The system can be programmed to display a slightly different result on failure than the two listed in the examples above. For example, Authentication Failed – Check if ePassport.
Availability of Certificates
As described in the section on accessing certificates, not all States that issue ePassports are PKD Participants and it can take time to undertake bilateral exchange of CSCA Certificates. Therefore, the system must be programmed in a manner that takes into account what certificates are available to your State. For example, if State X issues ePassports but your State does not have their CSCA Certificate (or access to their CRLs), the inspection system could be programmed to not even attempt Passive Authentication. Instead, the inspection system could open the chip and read the information, conduct Active Authentication, then instruct the border control officer to do a three way check (VIZ, MRZ and chip data) and proceed with normal document inspection procedures. In this case, the system would not tell the border officer that Passive Authentication has failed, but that domestic policy has indicated that it cannot be done.
Dealing with Revocations
The revocation of certificates (either CSCA certificates or DS certificates ) due to fraud does not happen very often. However, if a DS certificate is revoked, it can impact up to 150,000 ePassports (depending on the Certificate Policy of the Issuing State). It is likely that only a small fraction of the ePassports issued under the revoked certificate would be fraudulent. Once such a revocation is detected, Receiving States may wish to modify their policies specific to that Issuing State. For example, options could include keeping the status-quo and referring all failed authentications to secondary; or, treating all ePassports from that State as non-electronic; or, not allowing travellers from that State to use automated border control systems (due to the fact that a disproportionately high number will end up being referred and create congestion). As an alternative to system changes, operational procedures could be modified for a specified time. For example, border officers at primary inspection could be given greater authority to overlook the results of failed authentication attempts for that State for ePassports issued within the timeframe that the revoked DS Certificate was in use.
Audits and Feedback
Whether your State chooses to implement a simple system with only three result options, similar to the example described on the previous page, or a more complex system with more options, the inspection system should have a detailed logging process in the back-end of the system. This should provide additional detail regarding each of the authentication processes undertaken by the system and the results. This will help those responsible for developing and maintaining the system requirements and policies to identify recurrent issues. The information can be used in cases where tampering or fraud is suspected and a more in-depth investigation of a traveller is being undertaken. This information can also be used to make constant improvements to the inspection system to make it more efficient and effective. For example, if the audit logs demonstrate that there are consistent technical issues for the ePassports of a particular Issuing State, the system could be updated to treat these documents in the same way as those from a State whose CSCA is not available.
