Professional Documents
Culture Documents
Version : 3.2
Distribution:
Name Organization
ICAO
PKD Board
Revision History
Date Issue Description Author
14 July 2006 0.1 First Issue Vivek Kaushik
19 July 2006 0.2 Second Issue Vivek Kaushik
10 August 2006 0.3 Changed to reflect one-way SSL during Vivek Kaushik
upload
14 August 2006 0.4 Changes to accompany Interface Vivek Kaushik
Specifications v1.4.2
27 March 2007 2.0 Changes to accompany Interface Vivek Kaushik
Specifications v2.0
Addition of the “Doc 9303” compliance
testing
Standardized to v2.0
08 May 2007 2.1 Changes to accompany Interface Vivek Kaushik
Specifications v2.1
Updates to Sec. 3.2, Compliance Tests
13 Nov 2007 2.2 Consolidated Changes from v0.6, related to Vivek Kaushik
2-way SSL for Upload, Accompany PKD
Interface Specs v2.2; Updated Registration
Form to accept PKD Upload Certificates
16 June 2009 2.3 Changes for downloader entries R. Rajeshkumar
22 February 2010 2.4 Changes:CSR for uploader certificate R. Rajeshkumar
13 February 2012 3.0 Non-conformant entries and delta LDIFs Andy Hing
08 January 2013 3.1 Updates to Sec. 3.4, Download Tests Andy Hing
28 August 2013 3.2 Changes in CRL specs, one CRL per PKD Andy Hing
participant
Table of Contents
1 Overview 5
1.1 Introduction 5
1.2 Glossary 5
2 Registration 8
1 Overview
1.1 Introduction
As part of the MRTD initiative by ICAO, participating countries will upload to and
download from a central ICAO PKD, their passport certifying credentials. A test
bench will be setup by the Operator to assist the Participating Parties in
understanding and integrating their system to the interface before proceeding to
communicate with the ICAO PKD production system.
1.2 Glossary
5. “Country Signing CA Public Key” (KPuCSCA) means the public key that is
used to decrypt and verify the digital signature on a Document Signer
Certificate (CDS);
7. “Document Signer Public Key” (KPuDS) means the public key that is used to
decrypt and verify the digital signature on an eMRTD;
11. “Fee Schedule” means the Schedule issued and published by ICAO in
consultation with the Operator and as approved by the PKD Board, under
Article 3.1 (e) and Attachment B to the PKD Memorandum of Understanding;
13. “ICAO Public Key Directory” (ICAO PKD) means the central database
serving as repository of document signer public keys and certificate revocation
list issued by Participating Parties, together with a system for their distribution
worldwide, maintained by ICAO on behalf of such Participating Parties in
order to facilitate validation of data contained in eMRTDs;
15. “Operator” means the entity contracted by ICAO for the operation of the
ICAO PKD in accordance with the System Design Documentation and the
Public Key Infrastructure specifications set forth in the latest edition of Doc
9303, Part 1;
16. “Participating Parties” are those specified in Article 2.2 and 2.3 of the
Memorandum of Understanding (MoU) Regarding Participation and Cost
Sharing in the ICAO Public Key Directory (ICAO PKD);
17. “PKD Board” means the group referred to in Article 9.1 of the Memorandum
of Understanding (MoU) Regarding Participation and Cost Sharing in the
ICAO Public Key Directory (ICAO PKD), composed of up to 15
representatives designated by Participating Parties;
18. “PKD Download” means a file transfer of a complete copy of the latest
version of the PKD READ Directory in existence at any given time;
20. “PKD Query” means a request for an individual CDS and any corresponding
CRLs on the PKD READ Directory, to locate a certificate reference contained
in an eMRTD;
21. “PKD Test Upload Directory” is the read-only directory version of the ICAO
PKD;
22. “PKD Test Download Directory” is the read-only directory version of the
ICAO PKD;
23. “PKD Web Site” is a web site or URL established by the Operator to enable
accessing entities to download the ICAO PKD;
26. “Operator Testing Contact” (OTC) is designated personnel from the PKD
Operator that will communicate with the participating party during the testing
process.
2 Registration
Before accessing the test bench system, Participating Parties must indicate this
intention to ICAO. This process is called “Registration”. As indicated in Sec 4.1 of the
PKD Regulations v1.9, Participating Parties will inform ICAO of the EMA and CIL.
ICAO will then inform these details to the Operator so access details can be assigned.
The STC will provide a CSR (Certificate Signing Request) to the OTC. The
OTC will generate a certificate, which is used as PKI credentials to access the
Upload Directory. The certificate will be sent back to the STC. The CSR
should be generated with signatureAlgorithm: Sha1RSA and Key length:
2048.
Operator will register the certificates and designate an “upload point” on the
“PKD Test Upload Directory” with assigned access credentials to that point,
to the STC. The access credential will consist of an LDAP ID. The server
certificate will also be sent, so that the client services can authenticate the
server. The OTC will inform these details to the STC via email.
Operator will designate an “upload point” on the “PKD Test Upload
Directory” and assign access credentials to that point, to the STC. These
access credentials will consist of a LDAP ID and password combination. The
server certificate will also be sent, so that the client services can authenticate
the server. The OTC will inform these details to the STC via email.
Operator will also assign access credentials to the “PKD Test Download
Directory” and the test bench webpage containing the checksum, to the STC.
These credentials consist of a LDAP UserID and password combination. The
server certificate will also be sent, so that the client services can authenticate
the server. The OTC will inform these details to the STC via email. The
participant will create their own download credentials as outlined in the “PKD
These tests will be done to test various usage scenarios of the PKD. For the
purpose of testing, the participating party is referred to, as the “client” and the test
bench system is referred to, as the “server”. The tests are detailed in the next
section.
2. Using the “Browse” button shown on the webpage, the client selects to upload
the CCSCA, CDS, CRL or CSCA Masterlist.
3. When ready, the client clicks the “Check” button, as shown below.
4. After the check is complete, a report is generated and shown to the client. In
this report, the client is shown the various criteria upon which the data was
tested, and a pass/acceptable/fail message.
5. For CDS and CRLs, the report also generated the Relative DN of the entry to
support the upload of the entry to the directory. This value is used in the
Upload Tests. An example is shown below.
shown. Messages which explain why the field has acceptable variations are
printed at the bottom of the report shown below.
For example, if the CDS was issued by “o=Issuer CA, c=SG” and the DSC
serial number is “02F45D45” then the entry’s attributes are:
dn: cn=o\=Issuer CA\,c\=SG+sn=02F45D45,
o=Certificates,c=SG,dc=pkdWrite,dc=pkdUpload
objectClass: inetOrgPerson
cn: o=Issuer CA,c=SG
sn: 02F45D45
userCertificate;binary: DER encoded binary file containing DSC
4. When the entry is successfully created in the server, an LDAP message code
of success is returned to the client. The client would now be able to view his
own entry along with any previous entries in the directory tree.
5. If there are any errors, the corresponding LDAP error code is returned to the
client. This error code and the add request data, should be noted and
forwarded to the Operator to assist in troubleshooting.
6. A similar test would be done to upload a CRL to the directory, with a
difference of, objectClass being cRLDistributionPoint, and sn being not
defined. The DN for CRLs entry consists of the issuer DN of the issuer of the
CRL, followed by “o=CRLs” and then the base DN for that country.
objectClass: CscaMasterList
cn: o=Issuer CA,c=SG
CscaMasterListData;binary: DER encoded binary file containing CSCA
Masterlist
4. As specified in the interface specifications, the LDAP search query syntax for
the entry “cn=ldif 002,ou=download, dc=pkddownload” is of the form
(&(objectClass=*)(!(lversion=xxxxxx))) where xxxxxx refers to the
current version number of the client. At the beginning of the test, the client
must send 000000 to signify that it has no previous data. Subsequently, the
client should include the version number in the query. For example, if the
client already has version 000033 then the query sent to the server would be,
Message Type: Search Request (0x03)
Base DN: dc=pkddownload
Scope: Base (0x00)
Dereference: Searching (0x01)
Size Limit: 0
Time Limit 0
Filter: (&(objectClass=*)(!(lversion=000033)))
5. As specified in the interface specifications, the LDAP search query syntax for
the entry “cn=ldif 003,ou=download,dc=pkddownload” is of the form
(&(objectClass=*)(!(cversion=xxxxxx))) where xxxxxx refers to the
current version number of the client. At the beginning of the test, the client
must send 000000 to signify that it has no previous data. Subsequently, the
client should include the version number in the query. For example, if the
client already has version 000033 then the query sent to the server would be,
Message Type: Search Request (0x03)
6. A new version is released every one hour by the server, containing all
certificates, CRLs and CSCA Masterlist up to that hour.
If a new version is available, the base entry containing the new LDIF file and
the new version information will be sent back to the client, together with
Search result of one entry. If no new version is available, no new data is sent
back to the client. In both cases, an LDAP code of success is returned
signifying that the query was executed successfully on the server.
An example of a successful download of the LDIF file is shown below.
dn: cn=ldif 001,ou=download,o=pkddownload
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: ldif 001
sn: 0001
version: 000034
LDIFPKD:
#version: 1
dn: dc=data,dc=pkdDownload
dc: data
objectClass: top
objectClass: domain
34m+wTnHbajD9vWcaZ98INjUMnBG7DprVQP8MOamKrSARARbyUahN0Ak0sqEY53VLC7J2aJMT12I
H/bML2ehcYj3udmZFxCo8M6uMC6lAQIhWgc9Q7ibRTIv+9ZTeC5KgOamowfV8sE3Or0QTpdG1VYx
ocg5GTPN+0Hz35h0wlwEgwtaGAg1Qk+l+F/g5NAqmJLrQ4HbT40YI6S4EHfIrSfOmYkrGEH51Gq6
siUOyxkx0Hwn+Zb4qqWfMDRAxYO2qSOLXbciBrw3s84CqTtKyElu8vslwDK7DKFGVLHxUtjS/qC+
LK61DEyB9cIBsxwoZqhufbMICgTsKjxxMP2/1AR1XX2nh7uPVz8eRkh66rLwoImgOH9AFZmhtAi3
bPNT+/m6oFurSkDhfK5+M1zo4PHSCBZ19pl/8sx1UAQyT71+Knd2uziXsMVhTeqxeUOuBvdodq/b
Ke6wwcXbC7ef87O/vLfEoQOj1dd5RJLjMfseMCdec3Adfiw==
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
OTDoc9303Code: WARN:DSC.ISS.11:DSC.SUB.11
sn: 4942BE14
cn: CN=csca-canada,OU=pptc,O=gc,C=ca
The LDIF file is the contents of the LDIFPKD attribute from the search result.
7. If the code returned is not “LDAP success”, clients should note the LDAP
code returned by the server. This data and the search filter used should be sent
to the Operator for troubleshooting.
Once a new LDIF file is obtained, the client should then retrieve the integrity
checksum from the test bench webpage, to be compared to a calculated
checksum of this LDIF file. The checksum is obtained by calculating a SHA-1
hash of the LDIF file, and then hex encoding the result. If the two checksums
are identical, then a successful download has concluded. If the checksums do
not match, then the LDIF file and the retrieved checksum should be preserved
and sent to the Operator to assist in troubleshooting.
Size Limit: 0
Time Limit 0
Filer: cn=000033
5. A new version is released every one hour by the server, containing all
certificates, CRLs and CSCA Masterlist up to that hour.
If a new version is available, the base entry containing the new LDIF file and
the new version information will be sent back to the client, together with
search result of one entry. If no new version is available, no new data is sent
back to the client. In both cases, an LDAP code of success is returned
signifying that the query was executed successfully on the server.
An example of a successful download of the Delta LDIF file is shown below.
dn: cn=000033,ou=deltas,dc=pkddownload
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: 000033
sn: 000033
LDIFPKD:
#Version: 1
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: 000033
sn: 000033
LDIFPKD:
#Version: 1
dn: cn=CZE,o=CRLs,c=CZ,dc=non-conformant,dc=pkddownload
changetype: delete
dn: cn=CZE,o=CRLs,c=CZ,dc=non-conformant,dc=pkddownload
changetype: add
OTDoc9303Result: WARN:CRL:Issuer: organizationName is in PrintableString. Ple
ase change it to UTF8String.|CRL:Issuer: organizationalUnitName is in Printa
bleString. Please change it to UTF8String.|ERR:CRL:Issuer: commonName is in
TeletexString. Please change it to UTF8String.
objectClass: top
objectClass: cRLDistributionPoint
OTDoc9303Code: WARN:CRL.ISS.11:ERR:CRL.ISS.11
certificateRevocationList:: MIICuTCB7gIBATBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlA
wQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAwVzELMAkGA1UEBhMCQ1oxF
zAVBgNVBAoTDkN6ZWNoIFJlcHVibGljMR0wGwYDVQQLExRNaW5pc3RyeSBvZiBJbnRlcmlvcjEQM
A4GA1UEAxQHQ1NDQV9DWhcNMTEwOTIxMDAwMDAwWhcNMTExMjIwMDAwMDAwWqAvMC0wHwYDVR0jB
BgwFoAUtIGZ9eyQ2j8Nb586fefgwXWUliwwCgYDVR0UBAMCAWIwQQYJKoZIhvcNAQEKMDSgDzANB
glghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBgQBfTIYIM
adXhBwq6LNLizpOEBu7Wprf++nO30dPYwG6K7Z4QpvTH1QNuuyN/wqCYH1QWZrTcfYE+NP2YVDZb
L2ANvQLAd/h0Tb4rJXpQA98ZrSpfOpUGGHUz8V1edLQ9Jqg50R+jJibFIfHOTf9rCqJnjPz9hd+u
sDJ2FUvilCr1HdRW5AjJoj70C6n4KVLpRgn7/Mphp50vF9OqPTUBEI2nLqAjOacTclL4SWA3AyHO
oBsx37XI64uQw54jwWIveTQV3mhKHeshLEvU6XjhNIQG5yyOzLkSBQXLj5EsyJaNGX5o2yHbTkJb
vmaIq6PFo3wKJSKciRxTo7zAQWoUJkvGNNoYMLpLz/xhrgK/yQzuyyxs6lpMEPAirV1Utc60Z8Yo
8cB7msQNdt8W9l3vFl/BP4R9OumGvIAdop3RT0VAswsCc9jOjQwgj43Jk9+9Lt5uAsNPqA7gucdi
wGL9uD57ZuGn6tHXwihfGGHBU29Kzu842ohmhy3HjN2/dioMK8=
cn: B48199_CN=CSCA_CZ,OU=Ministry of Interior,O=Czech Republic,C=CZ
The LDIF file is the contents of the LDIFPKD attribute from the search result.
6. If the code returned is not “LDAP success”, clients should note the LDAP
code returned by the server. This data and the search filter used should be sent
to the Operator for troubleshooting.
Once a new LDIF file is obtained, the client should then retrieve the integrity
checksum from the test bench webpage, to be compared to a calculated
checksum of this LDIF file. The checksum is obtained by calculating a SHA-1
hash of the LDIF file, and then hex encoding the result. If the two checksums
are identical, then a successful download has concluded. If the checksums do
not match, then the LDIF file and the retrieved checksum should be preserved
and sent to the Operator to assist in troubleshooting.
Filter: (sn=42602b75)
3.
Unlike CDS, CRLs does not have the entry “sn”. The “cn” of CRL is made up
of ICAO country code as it appears in the MRZ of the Participating parties. If
this country code does not uniquely define the issuing State or entity, the “cn”
will be appended with the symbol “_” and then the ICAO assigned three letter
code for the issuing State or entity.
5. If the search results in valid results, those results will be sent back to the
client. If no matching data is found, no new data is sent back to the client. In
both cases, an LDAP code of success is returned signifying that the query was
executed successfully on the server.
For example, above query would return a search result as
Message Type: Search Entry (0x04)
DN: cn=o\=Issuer
CA\,c=\US+sn=42602b75,o=Certificates,c=US,dc=data,dc=pkdDownload
cn: o=Issuer CA,c=US
sn: 42602b75
6. If the code returned is not “LDAP success”, clients should note the LDAP
code returned by the server. This data and the search filter used should be sent
to the Operator for troubleshooting.
2. The authority responsible for the upload of PKD data is called the
“Country Upload Officer I”. This person will be an administrative
contact between ICAO, Netrust and the country for all non-technical
matters such as membership and fees. The credentials to access the
upload and download PKD will be sent to this contact person. As a
backup, “Country Upload Officer II” details are also required, to ensure
communication in case the first contact is unavailable.
Title:
Postal Address:
Email:
Title:
Postal Address:
Email:
Title:
Postal Address:
Email:
Title:
Postal Address:
Email:
Title:
Organization:
Postal Address:
Email:
Office : Fax:
Mobile/Cell:
PKD UPLOAD - CLIENT CERTIFICATE CSR
(Please type as Base64, DER encoded, in 10pt courier new font)