i. What is the Public Key Directory (PKD)?
The ICAO PKD is the central platform to manage the world wide exchange of public key certificates needed for the electronic verification of electronic Machine Readable Travel Documents (eMRTDs), other ICAO-specified digitally signed document formats and Certificate Revocation Lists (CRLs). The PKD content is validated before being made available for download to participants via dedicated download connections. The contents can also be downloaded for free at
http://download.pkd.icao.int/.
ii. What is the added value of the PKD?
As more and more States introduce ePassports, eID cards and digitally signed document formats such as ICAO Visible Digital Seal (VDS), the PKD guarantees that the process for the necessary exchange of certificates and CRLs between States is simple, fast and cost-effective. The PKD is critical to facilitate efficiency in exchange, to ensure timely availability of and use of the data and to manage adherence to technical standards to ensure interoperability is achieved and maintained.
iii. Why is it important that ICAO supports the PKD?
ICAO issues Document 9303 as the central reference for ePassports and other eMRTDs as well as VDS based on ISO standards. The existing expertise within and reputation of ICAO makes support for the PKD a natural and self-evident consequence that lacks any comparable alternative.
iv. Who are the PKD Participants?
The PKD Participants are indicated on the PKD website.
v. How can I participate in the ICAO PKD?
The steps to follow are described at:
vi. Where can I find the Notice of Participation?
The Notice of Participation can be downloaded from the PKD website.
vii. Where can I find the Notice of Registration?
The Notice of Registration can be downloaded from the PKD website.
viii. What are User Fees?
The installation and maintenance of participant access to facilitated upload and download of data to and from the PKD as well as administration of the overall PKD system requires continued action on the parts of the ICAO Secretariat and the private sector entity supporting PKD in this work (the "PKD operator") and incurs on-going costs. The Memorandum of Understanding that defines arrangements between ICAO and PKD participants allows for the definition of User Fees to cover the emerging costs.
ix. What fees do I have to pay for participation?
The current PKD Fee Schedule can be downloaded from the PKD website.
The schedule covers participation fees for States and document issuing entities that become PKD participants. Schedules for other fee-based PKD usage for other entities (e.g. private sector entities) will be made available if and when such other usage becomes possible. At this stage, consideration of this usage is exploratory in nature.
x. What does active participation mean?
After the Notice of Participation has been lodged and the Registration Fee has been paid, the responsible entity is considered a PKD participant. At this stage, the Participant prepares to connect its national PKD with the central PKD. The PKD Operator supports that process. It also deposits its root of trust ('CSCA') certificate with ICAO in a PKD key import ceremony, with this being used to validate all uploads. Once the CSCA certificate is deposited so that the PKD Participant can upload the foreseen contents to the PKD, it is considered 'active'. That same participant should continue uploading and downloading content on a regular basis thereafter.
xi. What contents does the PKD offer for download?
The PKD offers:
- Document Signer Certificates (DSCs).
- Certificate Revocation Lists (CRLs).
- Master Lists of CSCA Certificates (MLs).
- Barcode Signer Certificates (BCSCs) for verification of VDS and VDS-NC.
xii. How can I check eMRTDs with the PKD?
The eMRTD must be checked using a complete chain of trust. This chain of trust consists of an electronic signature check of the RFID chip data using the Document Signer Certificate (DSC). It further comprises the validation of the DSC against the CSCA Certificate of the issuing country. All used certificate material must be proven not to appear in current Certificate Revocation Lists (CRLs).
xiii. Is it possible to access fingerprints in ePassports with the PKD?
No. While signature checks of ePassports and access to fingerprints in ePassports use Public Key Infrastructure (PKI) technology, it is impossible to access fingerprints using PKD contents.
xiv. What is the 15 months deadline?
After participation becomes effective, a PKD Participant has 15 months of time to start active participation. The Participant becomes liable for the Operator portion of the fee when it becomes active, or alternatively after 15 months of participation irrespective of its active or non-active status.
xv. What are the advantages to offer the PKD via the Internet?
The exchange of certificates and certificate revocation lists must be reliable and timely. This exchange cannot be achieved by other than electronic means. All usual and appropriate measures are taken to protect the PKD from attacks over the Internet.
xvi. Is there a risk of downloading viruses or other malicious software from the PKD?
No. The PKD contents are text files that do not contain any scripts or executable code.
xvii. Where can I find further information?
xviii. The PKD is used to check digital signatures in eMRTD chips. How can that help to detect look-alike fraud?
Modern biometric systems are capable of comparing the facial image stored in an eMRTD and a live-capture image of a person's face within a few seconds. Even small deviations typical for look-alike fraud are reliably detected and the person can be directed to secondary inspection.
The PKD-based eMRTD chip signature check determines chip data integrity including biometrics. Validating the chip is essential if you are relying on the facial image stored on the chip, particularly in border control scenarios experiencing high volumes of passengers.
xix. Does the PKD offer a facility for exchanging certificates for fingerprint access?
The PKD Memorandum of Understanding (MoU) does not cover the exchange of Document Verifier Certificates and related information for secondary biometrics in ePassports.
xx. What is the added value of the PKD for ePassport issuing States without automated border control?
Active participation in the PKD means that other States can electronically verify travel documents from participating States using the PKD. This means that citizens of that State may enjoy facilitated border crossings while travelling, including through manual border checks. In addition, ensuring widespread capacity to electronically verify one's travel document improves global trust in that document and can be a consideration in decision-making around visa-free regimes etc.
xxi. Why does the PKD contain non-standard conformant contents?
There are valid eMRTDs in circulation that were using certificates that are not conformant with the ICAO specifications that were in place at the time of such issuance. Albeit that ICAO and the ICAO PKD seek to ensure high data quality, such non-conformances can occur. Up to 2021, the associated certificates were stored in the PKD in a "non-conformant" branch so that receiving parties could conveniently decide whether to import such certificates into their national PKDs and use them in electronic verification. A change was made in 2021 to stop using this branch, given that the PKD is not considered to a regulatory body in terms of approving conformance. The non-conformant branch remains available for download of material placed there prior to 2021. Some contents of the "conformant" branch uploaded since 2021 may include small deviations from ICAO specifications.
xxii. What action does the PKD Board take to improve PKD data quality?
Should PKD Participants try to upload non-standard conformant contents, participants are informed so as to provide for correction with future issuance. A conformance website is also available as part of the PKD system in order to allow participants to verify conformance themselves in advance of any upload of data or use of that data.
xxiii. What is meant by 'strictly secure diplomatic means (out-of-band distribution)?
Ahead of a PKD key import ceremony, a CSCA must be provided via a "strictly secure diplomatic means (out of band distribution)". This distribution may be made via personal diplomatic exchange, diplomatic pouch or any other similar procedure or mean. It can also be by e-mail, website etc. provided that the recipient is obliged to verify the integrity of the received certificate by out-of- band communication, e.g. using a printed cryptographic hash that has been sent by diplomatic mail.
xxiv. Can CSCA Certificates be published on a state's website, or would this be a breach of ICAO standards?
Certificates are public information and as such can be published on a website. This is not a breach of ICAO standards.
xxv. Where can I get technical information for uploading contents to the PKD?
All technical questions will be answered through reading of the documentation that will be sent to you by the ICAO PKD Office and the PKD Operator once you become a PKD Participant. You may also like to check the PKD documentation for download on the PKD web site. Please see in particular the PKD Regulations and PKD Procedures.
xxvi. How to differentiate the CSCA Certificates, Document Signer Certificates (DSC) and Certificate Revocation Lists (CRL) of China, Hong Kong, China, and Macao, China?
There are three passport issuing locations in China:
i) one for mainland China;
ii) one for Hong Kong, China; and
iii) one for Macao, China.
They share the same ISO 3166 Country Code (i.e. C = CN) in CSCA Certificates,
DSC and CRL. Hence, these certificates and CRL are all stored under the same branch with Country Code "CN" in the PKD. The border control authorities can differentiate between the entries by using both the Country Code (C) and Organization (O) in order to differentiate the certificates and CRL of the three issuing locations. The comparison of certificate attributes of China, Hong Kong, China and Macao, China is as follows.
China | Macao, China | Hong Kong, China |
C = CN | C = CN
| C = CN |
O = Chinese Government | O = Macao SAR | O = Hong Kong China |
xxvii. Why pay for PKD participation when I can use Master Lists free of charge?
The ICAO Master List, available through the ICAO PKD, makes the CSCA certificates trusted by ICAO available for download as a conveniently-usable package. The ICAO Master List, together with other Master Lists in the PKD, cover a significant portion of the world's ePassport issuing community in terms of CSCA Certificates. Those CSCA Certificates allow verification of the certificate chain of the respective ePassport issuer. However, a Master Lists user who does not participate in the PKD must be conscious of the following:
- The distribution of a State's own Document Signer Certificates (DSC) and Certificate Revocation Lists (CRL) remains an open issue for Master Lists users.
- Should the sole anchor of trust be a downloaded Master List from the PKD, a Master List user must nevertheless generate trust with the Master List issuer who will always be a PKD Participant.
- There is no obligation for PKD Participants to issue Master Lists or to include certain CSCA Certificates in Master Lists. There is also no obligation for PKD Participants to update Master Lists within a certain period of time after new CSCA Certificates are issued. Issuance of the ICAO Master List takes place at specific intervals. Hence, to solely rely on Master Lists means to accept a possible shorter or longer unavailability of CSCA Certificates.
- It is true that non-PKD Participants do not pay any PKD fees. However, non- PKD Participant downloads are usually done manually rather than automatically. This requires continued human intervention and after-download processing which means that the financial difference between participation and non-participation in the PKD is smaller than one may expect.
- It is a Recommended Practice in Annex 9 to the Chicago Convention that ICAO Contracting States issuing or intending to issue ePassports and/or implementing automated checks at border controls should participate in the PKD. Furthermore the PKD enjoys political support from the OSCE, the EU and the G7.
xxviii. What does the fee reduction arrangement consist of?
With growing participation the PKD fees are reduced. The trend in fee reduction can be seen by comparing annual fees available at:
https://www.icao.int/Security/FAL/PKD/Pages/Publications.aspx?RootFolder=%2FSecurity%2FFAL%2FPKD%2FDocuments%2FPKDFinanceDocuments&FolderCTID=0x012000DC74C7351B603C4BB3D5C7A812DAC033&View=%7B4FF21EA0%2DB38F%2D43CE%2DA69B%2D6306EE5054DC%7D
xxix. Can a border control authority participate in the PKD?
Yes, a border control authority can participate in the PKD. As per Article 2.1 of the PKD MoU, any "ICAO Contracting State" (i.e. a State which has ratified the Chicago Convention) issuing or intending to issue eMRTDs may participate in the PKD. The MoU does not expressly address which entity within the State concerned has to initiate participation. However, it is to be noted that there can only be one entity per State that executes the MoU and commits to the undertakings related to it on behalf of the State concerned. It is thus a sovereign decision by the State concerned which internal entity to designate for executing the MoU. Recommended Practice 3.9.3 in Annex 9 - Facilitation to the Chicago Convention explicitly encourage PKD participation in case of border controls with automated checks on eMRTDs.