EU Commission uses secunet N-PKD module in Schengen Master List pilot project
July 2017 by Marc Jacob
The European Commission is currently operating a pilot project trialling the use of master lists for managing the exchange of certificates in electronic identity documents (eID). The Schengen Master List is a collection of trusted certificates (CSCA) which are required for checking eIDs. Approved authorities in the Member States can then check eIDs without the need to contact the issuing country directly. The secunet eID PKI Suite for generating and managing master list certificates is used in the test system.
In eIDs such as passports, the information stored on the integrated chip is secured using encryption procedures. A public key from the country issuing the document is therefore needed to check the integrity and authenticity of a document (passive authentication). If eIDs are checked at border control, the key required for access is distributed securely in the form of certificates - also known as "Country Signing Certificate Authority (CSCA) certificates".
The exchange of CSCA certificates has proved challenging in recent years, since to date there has been no standard process for the exchange of certificates between individual countries, and customised procedures have had to be used between partner countries. For this reason, the International Civil Aviation Organization, ICAO, has piloted the concept of master lists as a tool for distributing certificates. Master lists contain trusted CSCA certificates which are signed and distributed by the issuing country.
The Joint Research Centre (JRC) of the European Commission manages the pilot project for creating the Schengen Master List to facilitate exchange of certificates, and published the first Schengen Master List at the start of this year. It contains an initial set of trusted certificates.
One of the main goals of the pilot project is to involve additional Member States in the process of validating new CSCA certificates. Validation is a requirement for including only trusted CSCA certificates in the Schengen Master List. Norway and Portugal are currently providing information for the validation of new CSCA certificates, and are testing the feasibility of the Schengen Master List as a standard basis for secure electronic verification of international travel documents.
The pilot project provides valuable statistical information regarding the validation of certificates supplied by any country world-wide, through border control processes. Based on the validation of CSCA certificates by the participants, a new Schengen Test Master List can be generated using the JRC test public key directory.
secunet is providing a national public key directory (N-PKD) in addition to extensive expertise on drafting suitable guidelines for the new system. The N-PKD module of the secunet eID PKI Suite is used by the JRC test system for generating and managing master list certificates for the Schengen Test Master List.
The secunet eID PKI Suite is already in use in several European projects. The German Federal Police have been using the secunet eID PKI Suite to check electronic identity documents at their border inspection posts since 2011. The Smart Borders project operated by the European Commission uses the secunet eID PKI Suite for the exchange and validation of certificates, and for the management of the Schengen CSCA master list.