Prague08

ePassports EAC Conformity & Interoperability Tests
Prague, September 7th - 12th 2008

EAC PKI tests

Overview

The EU regulation n°2252/2004 defines June 2009 as the deadline for the introduction of fingerprints in the epassport chip. Technical specifications on access control to the biometrics are now at a final stage and first prototypes of chips and readers are now in the field.

In order to ensure conformity and interoperability, the Brussels Interoperability Group (BIG), decided to work on a test specification for a conformity test suite. This work was led by France and Germany and supported by other member states.

The Czech Republic has offered to organize  a major test event in Prague in September 2008, on behalf of BIG.

One of the goals of this event is the performing of EAC PKI tests and the proposed PKI test is described in this document

Objectives of EAC PKI tests

The objectives of the testing are:

Organization

7-12th September 2008

Prague Congress Centre

Ministry of interior of the Czech republic, Ministry of Interior of France

Brussels Interoperability Group, European Commision

Info for participants

The Prague interoperability test event is open to European Economic Area (EEA) Member States who wish to test their 2nd biometric ePassport, EAC Public Key Infrastructure (EAC PKI) and inspection systems.

Please note that participation is subject to the agreement of the organizers on behalf of the BIG, based on the fulfillment of the requirements listed in the next section. If a non compliance is detected during the registration process, the participant may be rejected or accepted but without having its results taken into account in the official results, depending on the level of non-compliance.

The number of participants is limited to 2 persons per provider due to the room dedicated for the tests.

Place and date of the EAC PKI tests

Testing will be done in 3th floor of Prague Congress Centre, South Hall, 850 s.q.m. Testing will run from September 7th to Septrmber 12th 2008.

Concept of EAC PKI tests

Tests are open only for participants registered by an official (governmental) organization.

Each member state can register 2 sets of ePassports. By set, we understand different ePassports from the point of view OS and/or chip. Each member state has to submit 2 samples in each set.

Levels of participation in EAC PKI Tests

An implementation of the EAC PKI is provided by the test hosts. This makes it possible for a Member State to participate with its own PKI, or it can test with Czech EAC PKI.

The following levels (level depends on readiness of testing partner for EAC PKI test) are open for involvement with the PKI test:

Level 1 - Country participates with its CVCA. Country must be able to do the following:

  1. CVCA and/or DV registration (simulates EU CP registration)
  2. Generate CVCA certificate and send it to all registered CVCA
  3. Send CVCA certificate to all registered DVs
  4. Receive DV certificate request (request authorised by outer signature by domestic CVCA), process it and send the certificate to the respective DV
  5. Receive DV certificate request (request authorised by outer signature by previous DV key), process it and send the certificate to the respective DV
  6. CVCA will generate new key pair and link certificate. Point e) will be repeated using new key pair (optionally)

Level 2 - Country participates with its CVCA and personalises ePassport samples for EAC PKI tests –This participation level has following atributes:

  1. CVCA performes processes from participation level 1 – DV certification
  2. Samples of EAC epassports personalised with that country CVCA certificate (laboratory personalisation is sufficent)
  3. initial trust (according to lev. 1b) - link certificates (according to lev. 1f). The ePassport can be read using following trust options:
    • Initial - normal without link certificates
    • With link certificates

Level 3a - Participation with member state’s PKI

In addition to Level 1 or 2 a country can build it own PKI for its DV certification process (according to Level 1d and 1e)

Level 3b - Participation with member state’s Inspection system

In addition to previous point a country can build its own inspection system which the country will bring to Prague for reading test of the foreign EAC epassports (the Czech passport samples will be available for this purpose).

Participation level dependencies

Participation in the PKI Test will require the following procedures to be completed: