Date 2

Jeen de Swart Senior Information / Security Architect

A National Public Key Directory The Dutch Solution

ICAO TRIP: Making Air Travel more Secure and Efficient

TOWARD BETTER TRAVELLER IDENTIFICATION MANAGEMENT

FOR ENHANCED BORDER CONTROL INTEGRITY

3

ICAO TRIP: Building Trust in Travel Document Security

The Dutch

National

Public Key Directory

NL-NPKD

LDAP

LDAP LDAP

The Dutch

National

Single Point of Contact

NL-NSPOC

WSDL

The Dutch

National

Terminal Control Center

NL-TCC

WSDL

The Dutch

National

Terminal Control Center

NL-TCC

WSDL

Country SigningCertification

Authority

CSCA

Document SigningCA Certificate X509 Cds- issuer CSCA- DSCA Public Key

KPuds

RSA 2048 PKCS#15DocSigner (DS)

EF.SOD

Country SigningCA Certificate X509 Ccsca- self signed- CSCA Public Key

KPucsca

HSM

PKIDocument Signer

DS

HSM

eMRTD, CSCA PKI chain

eMRTD Passive Authentication

So the digital

signature must

be checked ?

The Dutch

National

Public Key Directory

NL-NPKD

LDAP

The Dutch

National

Single Point of Contact

NL-NSPOC

WSDL

The Dutch

National

Single Point of Contact

NL-NSPOC

WSDL

The Dutch

National

Single Point of Contact

NL-NSPOC

WSDL

The Dutch

Document Verifying

Certification Authority

NL-DVCA

HSM

TCCISMC

IS

Terminal A Terminal B Terminal C

HSM

VENDOR TCC/IS TERMINALS

TCC/IS

Terminal A Terminal B Terminal C

HSM

NL-NPKD

webservice

LDAP

gui

NL-NSPOC

webservice

NL-TCC

webservice

NL-IS1

HSM

NL-IS2

HSM

LB1 LB2

NL-ISMC

webservice webservice

webservice

EFSOD

webservice

NL-IS1

HSM

NL-IS2

HSM

LB1 LB2

NL-ISMC

webservice webservice

webservice

EFSOD

webservice

xxx

NL-EFSOD

webservice

ROOT CA

CONNECT-CA

CA for TLS connections between admin-systems and PKI-EAC systems

AdminCA

CA for TLS connections between EAC-PKI systems

TlsCA

CA for TLS connections between ISMC and IS-systems

AdminMCCA

CA for TLS connections between IS-systems and terminal-readers

TerminalTLSCA

ROOT CA

CONNECT-CA

CA for TLS connections between admin-systems and PKI-EAC systems

AdminCA

CA for TLS connections between EAC-PKI systems

TlsCA

NSPOC

NPKD

ISMC

CA for TLS connections between ISMC and IS-systems

AdminMCCA

ISMC

ISxx

ISxxISxx

CA for TLS connections between IS-systems and terminal-readers

TerminalTLSCA

Terminal-xx

Terminal-xx

Terminal-xx

Terminal-xx

InternetJustitieNet

SERVICES

ROOTPROD ACPTMGMT

DMZI

WRKS

NPKD-Extern

CONNECT-CA

MONITORING

PA SecretaryArchitect

AuditorSecurity OfficerNPKD Responsible CONNECTCA Responsible NSPOC Responsible EAC-PKI Responsible

NSPOC Responsible

Government / MinistriesGovernment / Ministries

Policy AuthorityGovernance

SETUP AND COSTS

• Tender • Self made • Combination

In any case you need: • An architecture • Project plan • Knowledge • Organization • Trained personal • … Costs are hard to predict. Timeline at least a year.

WHITE PAPER: A NATIONAL PUBLIC KEY DIRECTORY TRIP Magazine: THE DUTCH VERIFICATION SOLUTION

16

ICAO TRIP: Building Trust in Travel Document Security

Date 17

Contact Details

Name : Jeen de Swart Email : j.deswart@justid.nl