ICAO PKD LDIF FileFrequently Asked Questions, v3.0 Dated: 11th October 2010 Currently, an English version has been made available. Other language translations will be made available on the same web-site in due course. The International Civil Aviation Organization (ICAO) manages a Public Key Directory (PKD) which contains the public keys of PKD Participants that issue electronic passports (e-Passport). This document refers to the typical questions asked about the ICAO PKD LDIF file. 1) Who is the intended audience? This system is intended for all agencies or companies that interact closely with e-Passports/travel documents to verify identity, such as: Border Control, Airlines/Travel Industry, Tourism Industry, Law Enforcement, States evaluating future deployments and their vendors. 2) What is an e-Passport? An e-Passport (or electronic passport) is just like an ordinary passport to be used as a travel document, except that it also contains an electronic chip containing digital equivalent of the holder’s identity. This holder information is both biographical (Name, DOB, etc.) as well as biometric (digital photograph). According to international agreements, an e-Passport is distinguished from normal passports with a special symbol on the cover. This symbol is: To protect its integrity, the digital data in the chip is digitally signed by the issuing country. A corresponding “digital certificate” containing its public keys, is required to check the This document can be downloaded from: https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 1 CSV or . 6) What do I need to use this LDIF file? This LDIF file is used to digitally verify the e-Passport signature.509. Public Key Infrastructure (PKI) and cryptography b. It also contains CSCA Master Lists. Here is a list of capabilities that would be needed to use this LDIF file: a. However. Directory protocols: X. ASN. Application usage of cryptography and relevant standards such as X. 3) What is the ICAO PKD (Public Key Directory)? To facilitate the distribution of the “digital certificates” that signed the e-Passports above. PKCS#7. 7) What is the significance of the “version” number of the file? The LDIF file is updated as and when new certificates are created by PKD Participants.1. ICAO has setup a central repository together with a system for their distribution worldwide.int/ICAO/pkdLDIFDownload. a version number is assigned to each unique This document can be downloaded from: https://pkddownloadsg. much like a . The second LDIF is a collection of used CSCA Certificates published by the PKD Participants themselves.XML file. The first is a collection of DSCs and CRLs that have been verified by ICAO against the PKD Participant’s CSCA Certificates. This “digital certificate” may be embedded in the electronic chip. SHA-1. This central repository is called “ICAO PKD” (Public Key Directory). 4) What is LDIF? LDIF stands for “LDAP Data Interchange Format”. an understanding of the e-Passport digital data structure is mandatory. DN. To distinguish an updated file from an older one. RSA.500 and also Lightweight Directory Access Protocol (LDAP) d. ICAO has not validated or verified the CSCA Certificates within these Master Lists. or distributed via a central mechanism by ICAO. 5) What are the two separate LDIF files available for download? There are two LDIF files available for download. This collection is sufficient in most cases for verification of e-Passports. before using this file. and is a standard format used to export and import data between offline systems. Therefore. LDAP commands etc. the PKD validates the signatures of uploaded Master Lists.ICAO PKD FAQs – v3. also called “Document Signer Certificates” (DSCs) and also a blacklist of compromised digital certificates (those that cannot be used) called “Certificate Revocation Lists” (CRLs). e-Passport logical data groups c. which are signed lists of CSCA Certificates used by the PKD Participants. LDIF formatted files are especially useful in exchanging data between LDAP compliant directories. SHA-256. This central repository contains the e-Passport signing digital certificates. ECC.icao.0 integrity of the e-Passport.jsp Page 2 . Downloaders of this file are encouraged to periodically update the file with the latest information available at the time.jsp or https://pkddownloadth. Download DSC entry format DSCs would be allocated an “o=Certificates” within the base DN of that state. and then go to the web-site: https://pkddownloadsg. A) DSC/CRL LDIF: The LDIF file is organized as a directory tree. dc=data. http://www. CSCA DN of the DSC. looking like: 3BC22E4E24CC422760AD6D83B4D3BFA8FC6BB43D To check that the file was downloaded without errors. with the root of the tree at: “dc=data. create another checksum using the same SHA-1 algorithm and hex encode the result. in case of Singapore. where all its uploaded DSCs and CRLs will be stored. This is the DN of the issuer of the DSC and 1 RFC2798. a high amount of technical proficiency in LDAP and PKI.icao. This version number is updated sequentially. This point would be the base DN under which all entries from Singapore would be stored.icao. For example.0 collection of DSCs and CRLs. Every PKD Participant that uploads to the PKD will be assigned a directory.int/ICAO/pkdChksum.int/ICAO/pkdChksum.jsp to check the result against the same version of the file downloaded. The checksum is created by calculating the message digest of the whole file and hex-encoding the result to give a string of 40 characters. a.ietf. the file was downloaded successfully. If the results are the same. dc=pkdDownload”.txt This document can be downloaded from: https://pkddownloadsg.jsp Page 3 .org/rfc/rfc2798. the location assigned will be “c=SG. The Master List has a separate version number as well.int/ICAO/pkdLDIFDownload. dc=pkdDownload”. after receiving the complete file.ICAO PKD FAQs – v3. 9) What is the specification for the entries in the LDIF file? Please note that to understand the specifications. There are two kinds of data that a client would need from the PKD. “Definition of the inetOrgPerson LDAP Object Class”.icao. 8) How do I ensure that this LDIF file downloaded without errors? The LDIF file is check-summed using SHA-1 from the ICAO PKD before being made available for download. as well as a working knowledge of the e-Passport systems is needed. The following attributes of the DSC entry are available for download: Objectclass Cn inetOrgPerson (according to RFC27981) when uploading DSC. the certificates (DSC) and the CRL. txt This document can be downloaded from: https://pkddownloadsg.c=AG. This is the hex encoded x. Certificate Serial Number. Download CRL entry format CRLs would be allocated an “o=CRLs” within the base DN of that country. the entry DN is dn: cn=o\=Passport Issuer\. if an entry has the following details cn: o=Passport Issuer.o=CRLs. dc=data. For example. then that CRL’s entry DN would be: dn: cn=FE4578_o\=Passport Issuer\. a signed e-Passport would identify the signer by minimally. The following attributes of the CRL entry are available for download: Objectclass cRLDistributionPoint (according to RFC22562).dc=pkdDownload And the ‘cn’ of the entry is: 2 RFC2256. This is the DN of the issuer of the CRL.” in this DN.509 certificate serial number allocated to that certificate by the CSCA when signing that certificate.500(96) User Schema for use with LDAPv3”. is the issuer (CSCA) DN and DSC serial number. it is ensured that searches are optimized and entries can be found based on information available from the e-Passport that needs to be verified. The first six characters of the issuer “SubjectKeyIdentifier” (hash of the CSCA public key) Cn followed by symbol “_” and then the CSCA DN of the CRL. For example.icao. DER encoded binary file containing the full x. There are no whitespaces after each “.c\=AG.c=AG.dc=pkdDownload According to MRTD specifications. http://www. “A Summary of the X. c=AG sn: 0F4E2045 then.int/ICAO/pkdLDIFDownload.o=Certificates.org/rfc/rfc2256.” in this string. By constituting the CN and the SN of the entry from this information.c=AG” and the “SubjectKeyIdentifier” of the CA issuing that CRL is: FE457834AAF12C232CEFEF56121102BCD4567652.c\=AG+sn=0F4E2045.ICAO PKD FAQs – v3. Surname userCertificate The final DN of the entry will consist of the ‘cn’ followed by the “+” character and then the ‘sn’.ietf. identifying the signer’s CA DN and signer’s certificate serial number. dc=data.jsp Page 4 .0 not the DSC DN. There are no whitespaces after each “.509 certificate issued by the issuer (the Country Signing CA). DER encoded binary file containing the CRL issued by certificateRevocationList the issuer (the Country Signing CA). if the issuer DN is: “o=Passport Issuer. b. It can therefore be concluded that the minimum information based on which a particular DSC needs to be searched from the PKD download. c=AG” and the “SubjectKeyIdentifier” of the CSCA issuing the MasterList is: FE457834AAF12C232CEFEF56121102BCD4567652. a signed e-Passport would identify the signer by minimally. By constituting the CN of the CRL entry from this information. dc=CSCAMasterList. According to MRTD specifications. dc=CSCAMasterList. It can therefore be concluded that the minimum information based on which a particular CRL needs to be searched from the PKD download. it is ensured that searches are optimized and entries can be found based on information available from the e-Passports that need to be verified.icao. is the issuer (CSCA) DN. There are no whitespaces after each “. The first six characters of the issuer “SubjectKeyIdentifier” (hash of the CSCA public key) followed by symbol “_” and then the CSCA DN of the MasterListSigner. if the issuer DN is: “o=Passport Issuer. the location assigned will be “c=SG. For example.ICAO PKD FAQs – v3. where all its uploaded Master List will be stored.” in this DN. B) CSCA Master List LDIF The LDIF file is organized as a directory tree. To check revocation of that certificate. This point would be the base DN under which Master List created by Singapore would be stored.c\=AG. will always be “1” CSCAMasterList as signed Data Object. in case of Singapore.dc=pkdDownload This document can be downloaded from: https://pkddownloadsg. cn sn CscaMasterListData For example. the CRL to be used will also be issued by the same CA. The following attributes of the MasterList entry will be available for download: objectclass CscaMasterList (As defined above). Download MasterList entry format The MasterList entry would be contained in an entry within the base DN of that country.jsp Page 5 . dc=pkdDownload”. Every PKD Participant that uploads to the PKD will be assigned a directory. identifying the signer’s CA DN and signer’s certificate serial number.c=AG. CRLs issued by same issuer DNs but different public keys can be distinguished by different entry DNs. dc=pkdDownload”. with the root of the tree at: “dc= dc=CSCAMasterList.0 cn: FE4578_o=Passport Issuer.c=AG By this method.int/ICAO/pkdLDIFDownload. then that MasterList’s entry DN would be: dn : cn=FE4578_o\=Passport Issuer\. 0. the e-Passport verification mechanism can use this data during the validation process.c=AG By this method. Both these data items are binary data.702.jsp Page 6 .115. MasterLists issued by same issuer DNs but different public keys can be distinguished by different entry DNs.icao. Any other process that extracts this data can also be used to ensure availability of the data in a central system. B) CSCA Master List LDIF The LDIF file contains MasterLists using the following schema: Attribute: 'CscaMasterListData' (1.1.1 NAME 'CscaMasterList' DESC 'CSCA Master List' SUP person STRUCTURAL This document can be downloaded from: https://pkddownloadsg.4.702.1. The e-Passport verification process is beyond the scope of this document.9 SINGLE-VALUE ) Structural objectclass: 'CscaMasterList' (1. The easiest method to use this data is to import this file into an LDAP directory.0 And the ‘cn’ of the entry is: cn : FE4578_o=Passport Issuer.88.2. and can be referenced separately from ICAO’s MRTD web-site.0.1466. 10) How do I use this LDIF file? A) DSC/CRL LDIF: The LDIF file contains DSCs (in objectClass “inetOrgPerson”.3. which are Base64 encoded in the LDIF file. such as a database or shared storage. Once the data has been extracted.1.1002.int/ICAO/pkdLDIFDownload. attribute “certificateRevocationList”).ICAO PKD FAQs – v3.6.2 NAME 'CscaMasterListData' DESC 'CSCA Master List Data' SYNTAX 1.2. This would ease the searching of the right DSC or CRL as the need arises. attribute “userCertificate”) and CRLs (in objectClass “cRLDistributionPoint”.121.88.1002. 11) Does the Master List issued by a PKD Participant. This document can be downloaded from: https://pkddownloadsg. and can be referenced separately from ICAO’s MRTD web-site.icao.ICAO PKD FAQs – v3.int/ICAO/pkdLDIFDownload.0 MUST ( CscaMasterListData ) ) The process to extract the CSCA Certificates contained within the Master List is beyond the scope of this document.jsp Page 7 . contain all the CSCA Certificates used by that PKD Participant? The Master List contains the complete list of CSCAs used by the PKD Participant.