Skip Navigation LinksFAQ

Question
Response
What is the Public Key Directory (PKD)?
The ICAO PKD is the central platform to manage the world wide exchange of certificates and certificate revocation lists. Those certificates and certificate revocation lists are used to validate the electronic signature of data contained in the RFID chip of ePassports and other eMRTD. The PKD content is pre-validated and can be downloaded for free.
 
What is the added value of the PKD?
As more and more States introduce ePassports the PKD guarantees that the exchange
process between States remains simple and fast. The PKD is critical to minimise the
volume of certificates and certificate revocation lists being exchanged, to ensure
timely up- and downloads and to manage adherence to technical standards to ensure
interoperability is achieved and maintained.
Who are the PKD Participants?
The PKD Participants are indicated on the PKD website.
http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx
(see "ICAO PKD – Current Operational Status")
Where can I find the Notice of Participation?
The Notice of Participation can be downloaded from the PKD website.
http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx
(see "Procedures for the ICAO Public Key Directory")
Why is it important that ICAO supports the PKD?
ICAO issues Document 9303 as the central reference for ePassports and other eMRTD
based on ISO standards. The existing expertise within and reputation of ICAO makes
support for the PKD a natural and self-evident consequence that lacks any comparable
alternative.
Where can I find the Notice of Registration?
The Notice of Registration can be downloaded from the PKD website.
http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx
(see "Procedures for the ICAO Public Key Directory")
What fees do I have to pay for participation?
The PKD Fee Schedule can be downloaded from the PKD website.
http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx
(see "PKD Fee Schedule 2010")
What are User Fees?
The whole PKD contents may be downloaded for free using simple and fast web
access (https://pkddownloadsg.icao.int/ or https://pkddownloadth.icao.int/). However,
border control or similar applications operated by States or non-State entities that do
not participate in the PKD may require versatile PKD access. As the installation and
maintenance of this kind of access requires continued PKD Operator action the
Memorandum of Understanding allows for the definition of User Fees to cover the
emerging costs. The PKD Fee Schedule contains the details.
What does active participation mean?
After the Notice of Participation has been lodged and the Registration Fee been paid,
i.e. after participation became effective, a PKD Participant prepares to connect its
national PKD with the central PKD. The PKD Operator supports that process. After
this preparatory phase the PKD Participant starts to up- and download the foreseen
contents to and from the PKD and by this becomes 'active'.
What contents does the PKD offer for download?
The PKD offers Document Signer Certificates (DSC), Certificate Revocation Lists (CRL) and Master Lists (ML) for download.
How can I check ePassports with the PKD?
The ePassport must be checked using a complete chain of trust. This chain of trust
consists of an electronic signature check of the RFID chip data using the Document
Signer Certificate (DSC). It further comprises the validation of the DSC against the
CSCA Certificate of the issuing country. All used certificate material must be proven
not to appear in current Certificate Revocation Lists (CRL).
Is it possible to access fingerprints in ePassports with the PKD?
No. While signature checks of ePassports and access to fingerprints in ePassports use
Public Key Infrastructure (PKI) technology it is impossible to access fingerprints
using PKD contents.
What is the 15 months deadline?
After participation became effective a PKD Participant has 15 months time to start
active participation. With active participation the Annual Fee is extended to cover the
costs for activity (see PKD Fee Schedule).
What are the advantages to offer the PKD via the Internet?
The exchange of certificates and certificate revocation lists must be reliable and
timely. This exchange cannot be achieved by other than electronic means. All usual
and appropriate measures are taken to protect the PKD from attacks over the Internet.
Is there a risk of downloading viruses or other malicious software from the PKD?
No. The PKD contents is a text file. It does not contain any scripts or executable code.
Where can I find further information?
The PKD website is http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx and
contains information for a first reading as well as numerous downloadable documents
for detailed study. The ICAO Secretariat ICAO-PKD@ICAO.INT or the PKD Board
Chairperson can be contacted. There is in addition a link to lodge complaints or
feedback.
The PKD is used to check digital signatures in ePassport chips. How can that help to detect look-alike fraud?
Modern biometric systems are capable of comparing a facial image stored in an ePassport and a live-capture image of a person's face within a few seconds. Even small deviations typical for look-alike fraud are reliably detected and the person can be directed to secondary inspection.
The PKD based ePassport chip signature check determines chip data integrity including biometrics. Validating the chip is essential if you are relying on the facial image stored on the chip, particularly in border control scenarios experiencing high volumes of passengers.
Does the PKD offer a facility for exchanging certificates for fingerprint access?
The PKD Memorandum of Understanding (MoU) does not cover the exchange of Document Verifier Certificates and related information for secondary biometrics in ePassports.
What is the added value of the PKD for ePassport issuing States without automated border control?
Active participation in the PKD means that other States can verify travel documents from participating States using the PKD. This means that citizens of that State may enjoy facilitated border crossings while travelling, which is a tangible benefit to citizens.
Why does the PKD contain non standard conformant contents?
There are valid ePassports in circulation that were issued before the numerous measures of the PKD Board to improve data quality took effect. As those ePassports cannot easily be exchanged it must be clearly indicated which data used during ePassport production need special attention during chip signature validation.
What is meant by ‘strictly secure diplomatic means (out-of-band distribution)’?
This distribution may be made via personal diplomatic exchange, diplomatic pouch or any other similar procedure or mean. It can also be by e-mail, website etc. provided that the recipient is obliged to verify the integrity of the received certificate by out-of-band communication, e.g. using a printed cryptographic hash that has been sent by diplomatic mail.
Can CSCA Certificates be published on a state’s website, or would this be a breach of ICAO standards?
Certificates are public information and as such can be published on a website. This is not a breach of ICAO standards.
Where can I get technical information for uploading contents to the PKD?
All technical questions will be answered by reading the documentation that will be sent to you by the ICAO PKD Office and the PKD Operator once you become a PKD Participant. You may also like to check the PKD documentation for download in the PKD web site. Please see in particular the PKD Regulations and PKD Procedures. Also, please download the Supplement of Doc 9303, available in the MRTD web site. It contains the most up-to-date information on the MRTD specifications.
How to differentiate the CSCA Certificates, Document Signer Certificates (DSC) and Certificate Revocation Lists (CRL) of China, Hong Kong, China, and Macao, China?
There are three passport issuing locations in China: i) one for mainland China, ii) one for Hong Kong, China, and iii) one for Macao, China. They share the same ISO 3166 Country Code (i.e. C = CN) in CSCA Certificates, DSC and CRL. Hence, these certificates and CRL are all stored under the same branch with Country Code “CN” in the PKD. The border control authorities can differentiate between the entries by using both the Country Code (C) and Organization (O) in order to differentiate the certificates and CRL of the three issuing locations. The comparison of certificate attributes of China, Hong Kong, China and Macao, China is as follows.
 
 
 
 
 
 
Why pay for PKD participation when I can use Master Lists free of charge?
The Master Lists in the PKD cover a significant portion of the world's ePassport issuing community in terms of CSCA Certificates. Those CSCA Certificates allow verification of the certificate chain of the respective ePassport issuer. However, a Master Lists user who does not participate in the PKD must be conscious about the following:
- The distribution of a State’s own Document Signer Certificates (DSC) and Certificate Revocation Lists (CRL) remains an open issue for Master Lists users.
- Should the sole anchor of trust be a downloaded Master List from the PKD a Master List user must nevertheless generate trust with the Master List issuer who will always be a PKD Participant.
- There is no obligation for PKD Participants to issue Master Lists or to include certain CSCA Certificates in Master Lists. There is also no obligation for PKD Participants to update Master Lists within a certain period of time after new CSCA Certificates are issued. Hence, to solely rely on Master Lists means to accept a possible shorter or longer unavailability of CSCA Certificates.
- It is true that non-PKD Participants do not pay any PKD fees. However, non-PKD Participant downloads are usually done manually rather than automatically (cf. PKD Fee Schedule). This requires continued human intervention and after-download processing which means that the financial difference between participation and non-participation in the PKD is smaller than one may expect.
- It is a Recommended Practice in Annex 9 to the Chicago Convention that ICAO Contracting States issuing or intending to issue ePassports and/or implementing at border controls automated checks on ePassports should participate in the PKD. Furthermore the PKD enjoys political support from the OSCE, the EU and the G8.