1: What I understand, the ICAO master list and the EU master list is the most trustworthy source of data today. What I understand the private sector pilot is about allowing private sector systems to become authorized inspection systems with fingerprint. This could also become a additional way to verify users using a desktop fingerprint reader.
2: I know that. Thats why I suggest a system where a biometric face scan with liveness check, is done, which is then linked to a secure hash of the passport object AND the ACME account. These two strong links ensures that: a: The passport is not replaced with another passport (to use the approved biometric scan to approve a passport that is not yours) b: to ensure passport is not stolen. Basically, the biometric scan tells us that ”ACME account A is authorized to use passport represented with hash(B) a unlimited number of times”. This means no personal data needs to be stored, and thats why you have to resubmit validation for every renew. The biggest problem with chip authentication and active authentication, is as I mentioned, not all countries procure chips with CA/AA support enabled. My current passport have the AA flag unset, it says ”Active authentication: NOT PRESENT/NOT SUPPORTED”, meaning replay attacks cannot be prevented. Requiring AA or CA for authentication risk excluding many people just because their passport issuer didn’t procure the ”right chips”. 3: My idea is that its up to the CA to decide how long they want to trust the data and how they want to check against CRLs. Nothing prevents the CA from storing just the certificate serial of the passport for example. Since the linking to ACME account is so strong, I see that the biometric authentication can be valid for the life of the passport. Its locked to ACME account, which is secure enough. 4: Authentication via eIDAS is already approved today according to CAB. However, theres two problems with eIDAS. First, is that its very costly to enroll in eIDAS. Some country might allow you to enroll for free, but partipicating countries may not always accept these free providers due to the risk of fraud if theres no payable business identity behind. With ”enroll” here, im talking about accepting ID cards. Using a ID card in eIDAS is always free. Second, it cannot be automated. It would require a manual action for each renew. eIDAS could be a system that could replace the biometric authentication in certain stuations --> Where eMRTD data is used to authorize a renew, while the eMRTD data + eIDAS data is verified once with PIN code or other authentication factor to ”approve” the ACME account to make unlimited renews with the very same eMRTD. The biggest advantage with eMRTD is that its free, anyone with some software code, the right public keys, and a NFC scanner, can scan a passport, and fetch all the data on it, including the picture (to make a biometric comparision), all the data printed on passport, and some additional info. Only thing that is restricted is the fingerprint, that requires terminal authentication. Thats the biggest advantage, which means the friction for a CA to inplement it, with a fully automated validation solution where no human need sto approve the issuance (like lets encrypt) is very low, and it will drive down the prices for IV certificates. Från: [email protected] <[email protected]> För Ave Özkal Skickat: den 23 mars 2026 18:49 Till: [email protected] Ämne: [Acme] Feedback on EMRTD-DATA-01 Hello all, I'm Ave Özkal. I'm not working for any CA, and have no WG experience, however I have implemented ICAO 9303 (the standard for MRTD/eMRTDs) several times for OSS projects (it was my covid lockdown hobby) and have some close familiarity with it. I read the slides on EMRTD-DATA-01 <https://datatracker.ietf.org/meeting/125/materials/slides-125-acme-emrtd-data-01-00> , assembled a list of thoughts and concerns, and contacted Mike Ounsworth with them earlier. He suggested I also send them here, so I summarized them a bit and corrected for some mistakes I made. --- The situation with document validation itself is complicated, and is done against each country's PKI rather than that of ICAO, unlike what the slides imply. A complete validation of data accuracy requires: - (Ideally) reading all files available to current authentication level - Validating hashes of the documents against the directory file - Checking the signature of the document against the document signer certificate, and the document signer certificate ("DSC") against the country signer certificate authority certificate ("CSCA certificate"). See https://www.icao.int/icao-pkd/epassport-basics (Plus validation against the biometric picture and comparing the full name against what was stated in the CSR. These are both among the files in the document.) ICAO kindly publishes a PKD ("Master List"), but not all countries are choosing to take part in this, currently 107 out of 193 UN-recognized countries are members of this program: https://www.icao.int/icao-pkd The current terms also bar commercial usage: https://download.pkd.icao.int/ However there is a pilot program to allow private sector users, and it may be worthwhile to contact ICAO to hear if they think they'll roll this out, what their timelines are, and if they'd be willing to allow CAs into such a program once it goes GA: https://www.icao.int/icao-pkd/private-sector-pilot If I recall correctly from my own, non-commercial experiences, obtaining Document Signer Certificates was also not always straightforward for all participating countries, but I may have missed something obvious here. Not all countries had a publicly available CRL/OCSP endpoint for DSCs, if I recall correctly. It's a point that's worth looking into, and it may be worthwhile to codify into requirements for public CAs that this standard may only be utilized for documents from countries participating in ICAO's PKD and retain a public CRL/OCSP for DSCs. I believe it would be worthwhile to still try to rely on ICAO's PKD rather than requiring CAs to obtain CSCA certs through other means (e.g. some countries publish it on a website for the CSCA), as ICAO assures that the certificates are received through diplomatic channels. --- There's insufficient protections against replay attacks within the proposal. An eMRTD can be thought of as an authenticated, signed data store, with most of the protection against cloning coming from the need to forge a real-looking document. I have a copy of my passport's data within a folder in my computer. There are two primary methods to validate that there's a real eMRTD, Chip Authentication and Active Authentication. Not all countries support them across all documents. Sometimes countries change providers and the chip/active authentication support is lost in the process. (I want to include a note to thank the friend who was the first to point out that these are lacking from the proposal when we were looking at the slides.) The original proposal <https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/mzoJV9tsV-0?pli=1> mentions Chip/Active authentication, but explicitly excludes it as it's not widely or continuously deployed. In my opinion, this is a necessary compromise to achieve sufficient liveness checks for the eMRTD. --- I am of the opinion that public CAs deploying this standard for longer validity certificates would benefit from storing the document details and certificate for the duration of its validity, with a regular automated check of the certificate against the country CRL/OCSP, and the document number(/type/etc) against the Interpol database of lost and stolen documents, specifically the I-Checkit program made available to private sector partners: https://www.interpol.int/How-we-work/I-Checkit This is a downgrade in privacy, but in my opinion this is a necessary safeguard. --- An alternative, smaller scale approach that came to mind would be to build such an ACME standard for identity validation with EU's eIDAS, in case it gets decided to not pursue this standard. eIDAS is a requirement on all EU ID cards, and all EU countries except Ireland and iirc Denmark issue ID cards to all citizens. I believe EU residence permit cards tend to support eIDAS as well. eIDAS has further mechanisms to handle identity verification and document validity checking, alongside built-in liveness checking and a requirement to insert a PIN (reducing risk from stolen documents). If I recall correctly, it only requires approval from one country to integrate with the entirety of the union. (It's also a completely different proposal than this one and only covers ~500 million people in (excluding emigrants) one continent.) Best regards, Ave Özkal
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
