What to do if certificates for passive authentication fail
By Ihar Kliashchou, Chief Technology Officer at Regula
Electronic documents are praised for their top-notch security, mainly due to RFID chip data verification using passive authentication certificates. But even this foolproof method can stumble when certificates expire or become outdated. In this article, we’ll explore ways to overcome these hurdles and ensure your verification process stays secure.
To fully trust an electronic document, you need to verify the data encoded in its chip. The process—called passive authentication—involves verifying the data’s digital signature and the entire certificate chain down to the root. It’s impossible to perform it without having all the necessary certificates in place for every country whose citizens you do business with.
Finding and obtaining those certificates, however, is half the battle. Certificates can also expire, which can cause problems.
Let’s say your secure process is set up so that the operation will not be performed until the document is electronically validated. This validation involves using a master list, which consists of Country Signing Certificate Authority (CSCA) certificates. The master list is also signed with a certificate from a trusted organization. However, if your master list happens to be signed with an expired certificate, passive authentication will start failing.
The problem is that this scenario isn’t the first thing that comes to mind when documents suddenly stop being verified—at least, not to a regular customer-facing employee who actually works with IDs. This is non-trivial knowledge available only to specialists.
Unfortunately, such errors have happened before and can potentially happen again.
A rule of thumb: Have more than one source of certificates
This is a matter of risk management. If you have just one source and it becomes unavailable, your entire authentication process can be compromised. A wise solution would be to use a combination of sources to ensure higher service availability.
At the government-to-government level, countries share certificates for passive authentication with each other through diplomatic channels, thus collecting their own database of trusted certificates. For businesses, there are three main places to find certificates for passive authentication:
- The ICAO PKD. This is a central repository for the global exchange of information required to authenticate electronic documents. Because the ICAO is a widely trusted organization and its sources are transparent, it is one of the most reliable places to get certificates.
The ICAO PKD provides two types of master lists:
- The one curated and verified by the ICAO;
- The ones that are submitted by PKD Member States and that contain all certificates trusted by the submitting State itself. A compilation of these lists will include a higher number of certificates than the ICAO Master List, but it must be noted that the lists are not curated by the ICAO. One must verify their issuance and establish trust in the submitters in order to trust the included certificates.
While data from the PKD, including all of the Master Lists mentioned, can be downloaded through a public website, the Terms and Conditions for using this data state that it cannot be used for commercial purposes. While there are no known prosecutions for violations, using this service is at your discretion. Large organizations may need support from national authorities that issue identity documents and are PKD members.
- CSCA Master List by BSI. Commercial use is permitted as long as you don’t advertise it or make it appear as cooperation. However, BSI discloses neither how CSCAs were obtained nor the frequency of updates. So, while you will be able to conduct passive authentication using their CSCA Master List, you may not comply with some regulations, such as the ETSI requirements for qualified electronic signatures (QES).
- Publishers’ websites. Many countries also provide their CSCA certificates for public access: Switzerland, Australia, and many others. If you target just one country and it provides its CSCA to the public, manually scraping information from countries’ passport office sites might be manageable. You can also check out the ICAO PKD for certificates submitted by particular countries.
The above-mentioned sources of certificates can work for you in different combinations. For example, even if you have access to the ICAO PKD, it wouldn’t hurt to also keep the BSI Master List, and check out whether the countries your business is operating in have their certificates available to the public. This way, if one source fails, you have others to fall back on.
Why is it critical to select a source you can trust?
In the case of passive authentication, trust is more than just a gesture of goodwill. If a master list that is supposed to be trusted contains a fake certificate, then all fake documents signed with it will pass as genuine.
Here’s a hypothetical example: Imagine a small country that doesn’t provide its CSCA certificate on its official website. Fraudsters create a fake version of this country’s website and add a page where anyone can download the certificate, which is, of course, also fake. Once the bait works, they produce fake documents signed with this certificate and can try to attack any organization that uses it for verification.
The final responsibility lies with the end organization
No matter which sources you trust to get certificates and master lists from—be it a central repository or each publisher directly—the responsibility remains yours. Organizations like the ICAO or BSI may facilitate the process, but they are not liable if something goes wrong.
Also, understanding the certificate system and its expiration dates is crucial. You need to set up alerts for approaching expiration dates to ensure you have a fresh certificate ready to replace the old one.
The most responsible organizations don’t rely solely on external sources. They collect certificates from various countries, create their own master list, sign it with their own certificate, and ensure that it’s valid. But even if your industry’s risk tolerance isn’t as stringent, it’s still good practice to regularly review your master lists and update the supporting software versions. This proactive approach helps maintain the integrity and reliability of your passive authentication process.
About the author
Ihar Kliashchou is the Chief Technology Officer at Regula.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
authentication | Country Signing Certificate Authority (CSCA) | digital ID | document verification | e-ID | ICAO | ICAO PKD | passive authentication | Regula | trusted certificates
Comments