Hello all,
I'm Ave Özkal. I'm not working for any CA, and have no WG experience,
however I have implemented ICAO 9303 (the standard for MRTD/eMRTDs)
several times for OSS projects (it was my covid lockdown hobby) and have
some close familiarity with it.
I read the slides on EMRTD-DATA-01
<https://datatracker.ietf.org/meeting/125/materials/slides-125-acme-emrtd-data-01-00>,
assembled a list of thoughts and concerns, and contacted Mike Ounsworth
with them earlier. He suggested I also send them here, so I summarized
them a bit and corrected for some mistakes I made.
---
The situation with document validation itself is complicated, and is
done against each country's PKI rather than that of ICAO, unlike what
the slides imply.
A complete validation of data accuracy requires:
- (Ideally) reading all files available to current authentication level
- Validating hashes of the documents against the directory file
- Checking the signature of the document against the document signer
certificate, and the document signer certificate ("DSC") against the
country signer certificate authority certificate ("CSCA certificate").
See https://www.icao.int/icao-pkd/epassport-basics
(Plus validation against the biometric picture and comparing the full
name against what was stated in the CSR. These are both among the files
in the document.)
ICAO kindly publishes a PKD ("Master List"), but not all countries are
choosing to take part in this, currently 107 out of 193 UN-recognized
countries are members of this program: https://www.icao.int/icao-pkd
The current terms also bar commercial usage: https://download.pkd.icao.int/
However there is a pilot program to allow private sector users, and it
may be worthwhile to contact ICAO to hear if they think they'll roll
this out, what their timelines are, and if they'd be willing to allow
CAs into such a program once it goes GA:
https://www.icao.int/icao-pkd/private-sector-pilot
If I recall correctly from my own, non-commercial experiences, obtaining
Document Signer Certificates was also not always straightforward for all
participating countries, but I may have missed something obvious here.
Not all countries had a publicly available CRL/OCSP endpoint for DSCs,
if I recall correctly. It's a point that's worth looking into, and it
may be worthwhile to codify into requirements for public CAs that this
standard may only be utilized for documents from countries participating
in ICAO's PKD and retain a public CRL/OCSP for DSCs.
I believe it would be worthwhile to still try to rely on ICAO's PKD
rather than requiring CAs to obtain CSCA certs through other means (e.g.
some countries publish it on a website for the CSCA), as ICAO assures
that the certificates are received through diplomatic channels.
---
There's insufficient protections against replay attacks within the proposal.
An eMRTD can be thought of as an authenticated, signed data store, with
most of the protection against cloning coming from the need to forge a
real-looking document. I have a copy of my passport's data within a
folder in my computer.
There are two primary methods to validate that there's a real eMRTD,
Chip Authentication and Active Authentication. Not all countries support
them across all documents. Sometimes countries change providers and the
chip/active authentication support is lost in the process. (I want to
include a note to thank the friend who was the first to point out that
these are lacking from the proposal when we were looking at the slides.)
The original proposal
<https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/mzoJV9tsV-0?pli=1> mentions
Chip/Active authentication, but explicitly excludes it as it's not
widely or continuously deployed. In my opinion, this is a necessary
compromise to achieve sufficient liveness checks for the eMRTD.
---
I am of the opinion that public CAs deploying this standard for longer
validity certificates would benefit from storing the document details
and certificate for the duration of its validity, with a regular
automated check of the certificate against the country CRL/OCSP, and the
document number(/type/etc) against the Interpol database of lost and
stolen documents, specifically the I-Checkit program made available to
private sector partners: https://www.interpol.int/How-we-work/I-Checkit
This is a downgrade in privacy, but in my opinion this is a necessary
safeguard.
---
An alternative, smaller scale approach that came to mind would be to
build such an ACME standard for identity validation with EU's eIDAS, in
case it gets decided to not pursue this standard.
eIDAS is a requirement on all EU ID cards, and all EU countries except
Ireland and iirc Denmark issue ID cards to all citizens. I believe EU
residence permit cards tend to support eIDAS as well. eIDAS has further
mechanisms to handle identity verification and document validity
checking, alongside built-in liveness checking and a requirement to
insert a PIN (reducing risk from stolen documents). If I recall
correctly, it only requires approval from one country to integrate with
the entirety of the union.
(It's also a completely different proposal than this one and only covers
~500 million people in (excluding emigrants) one continent.)
Best regards,
Ave Özkal
_______________________________________________
Acme mailing list -- [email protected]
To unsubscribe send an email to [email protected]
