As CSCA certificates are the anchor in the trust chain for the ePassport validation process, it is very important to ensure that they are valid. Doc 9303 indicates that trust in a CSCA certificate must be established by an “out-of-band” mechanism; however, it does not prescribe what form this should take. Doc 9303 also indicates that the relying party (i.e. the State conducting the ePassport validation using the CSCA certificate) might analyse the policies, procedures and practices of the issuing State to determine whether they are secure enough to satisfy their requirements. These policies, procedures and practices are usually outlined in the issuing State’s Certificate Policy.
There are multiple options and combinations that can be used to validate a CSCA certificate depending on the sources used to obtain it. Many States use a combination of factors to give a CSCA certificate a trust rating.
Here is an example of a system where the travel document issuing authority is responsible for ranking trust in CSCA certificates before supplying them to their border authority. This system uses three categories: Green, Amber, and Red.
A green-rated CSCA Certificate meets the following requirements:
- It has been successfully cryptographically back-checked with a link certificate against the previous CSCA; or
- It has been acquired by hand from known persons at a trusted diplomatic source such as an embassy; or
- It has been cross checked by two or more of the following:
- it has been acquired by hand from known persons at a trusted source (such as a representative at a PKD meeting);
- it can be cross-checked via a separate route
appears in other PKD published Masterlists;
authenticates DSCs published on the PKD/in multiple passports;
the thumbprint cross checks against another source such as an email via ICAO or what is published on an official website.
An amber rated CSCA Certificate meets the following requirement:
- It was received via a known route (e.g. standards meeting)
However, the CSCA Certificate has no accompanying link certificate or other source against which to cross check (e.g. no thumbprint received via a separate channel or no website against which to cross check). Therefore, there is some risk that the certificate could have been switched en route by a malicious party. In such cases, the CSCA Certificate is provided to the border authority with a warning and explanation that its performance should be monitored. If over time, the CSCA Certificate is found to successfully authenticate new travel documents from the issuing State or the thumbprint from unsuccessful authentications can be cross-checked, the CSCA Certificate may be upgraded to a green rating.
A red-rated CSCA Certificate cannot be authenticated or there is a significant reason to doubt its authenticity or reliability.
For example, the CSCA Certificate has been downloaded from a publicly accessible website or was received by email with no other information received via a separate route against which to cross-check. Additional examples of situations that would merit a red rating would be that the CSCA Certificate was received via general mail; that it has been issued with a validity period that does not extend far enough to cover future travel document production.
For red-rated CSCA Certificates, the issuing authority will generally notify the border authority that the CSCA Certificate has been received; but, will not provide it unless specifically requested to do so (e.g. because the border authority has encountered genuine passports using a certificate with the corresponding thumbprint) or until the issuing authority can find a method to conduct a cross-check (e.g. confirmation of thumbprint from a separate and trustworthy source) and upgrade the certificate.
