jeen de swart · 2017. 10. 25. · c e rtific a tio n a u th o rity csca document signing ca...
TRANSCRIPT
![Page 1: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/1.jpg)
![Page 2: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/2.jpg)
Date 2
Jeen de Swart Senior Information / Security Architect
A National Public Key Directory The Dutch Solution
ICAO TRIP: Making Air Travel more Secure and Efficient
TOWARD BETTER TRAVELLER IDENTIFICATION MANAGEMENT
FOR ENHANCED BORDER CONTROL INTEGRITY
![Page 3: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/3.jpg)
3
ICAO TRIP: Building Trust in Travel Document Security
![Page 4: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/4.jpg)
The Dutch
National
Public Key Directory
NL-NPKD
LDAP
LDAP LDAP
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
National
Terminal Control Center
NL-TCC
WSDL
The Dutch
National
Terminal Control Center
NL-TCC
WSDL
![Page 5: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/5.jpg)
Country SigningCertification
Authority
CSCA
Document SigningCA Certificate X509 Cds- issuer CSCA- DSCA Public Key
KPuds
RSA 2048 PKCS#15DocSigner (DS)
EF.SOD
Country SigningCA Certificate X509 Ccsca- self signed- CSCA Public Key
KPucsca
HSM
PKIDocument Signer
DS
HSM
eMRTD, CSCA PKI chain
![Page 6: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/6.jpg)
eMRTD Passive Authentication
So the digital
signature must
be checked ?
![Page 7: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/7.jpg)
The Dutch
National
Public Key Directory
NL-NPKD
LDAP
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
Document Verifying
Certification Authority
NL-DVCA
HSM
![Page 8: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/8.jpg)
TCCISMC
IS
Terminal A Terminal B Terminal C
HSM
VENDOR TCC/IS TERMINALS
TCC/IS
Terminal A Terminal B Terminal C
HSM
![Page 9: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/9.jpg)
NL-NPKD
webservice
LDAP
gui
NL-NSPOC
webservice
NL-TCC
webservice
NL-IS1
HSM
NL-IS2
HSM
LB1 LB2
NL-ISMC
webservice webservice
webservice
EFSOD
webservice
NL-IS1
HSM
NL-IS2
HSM
LB1 LB2
NL-ISMC
webservice webservice
webservice
EFSOD
webservice
xxx
NL-EFSOD
webservice
![Page 10: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/10.jpg)
![Page 11: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/11.jpg)
![Page 12: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/12.jpg)
ROOT CA
CONNECT-CA
CA for TLS connections between admin-systems and PKI-EAC systems
AdminCA
CA for TLS connections between EAC-PKI systems
TlsCA
CA for TLS connections between ISMC and IS-systems
AdminMCCA
CA for TLS connections between IS-systems and terminal-readers
TerminalTLSCA
ROOT CA
CONNECT-CA
CA for TLS connections between admin-systems and PKI-EAC systems
AdminCA
CA for TLS connections between EAC-PKI systems
TlsCA
NSPOC
NPKD
ISMC
CA for TLS connections between ISMC and IS-systems
AdminMCCA
ISMC
ISxx
ISxxISxx
CA for TLS connections between IS-systems and terminal-readers
TerminalTLSCA
Terminal-xx
Terminal-xx
Terminal-xx
Terminal-xx
![Page 13: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/13.jpg)
InternetJustitieNet
SERVICES
ROOTPROD ACPTMGMT
DMZI
WRKS
NPKD-Extern
CONNECT-CA
MONITORING
![Page 14: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/14.jpg)
PA SecretaryArchitect
AuditorSecurity OfficerNPKD Responsible CONNECTCA Responsible NSPOC Responsible EAC-PKI Responsible
NSPOC Responsible
Government / MinistriesGovernment / Ministries
Policy AuthorityGovernance
![Page 15: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/15.jpg)
SETUP AND COSTS
• Tender • Self made • Combination
In any case you need: • An architecture • Project plan • Knowledge • Organization • Trained personal • … Costs are hard to predict. Timeline at least a year.
WHITE PAPER: A NATIONAL PUBLIC KEY DIRECTORY TRIP Magazine: THE DUTCH VERIFICATION SOLUTION
![Page 16: Jeen de Swart · 2017. 10. 25. · C e rtific a tio n A u th o rity CSCA Document Signing CA Certificate X 5 0 9 Cds - issuer CSCA - DSCA Public Key KPu ds RSA 2 0 4 8 PKCS# 1 5 DocSigner](https://reader035.vdocument.in/reader035/viewer/2022071108/5fe2a783ca28eb345f3fecd6/html5/thumbnails/16.jpg)
16
ICAO TRIP: Building Trust in Travel Document Security