< PreviousXXXXX28 ICAO MRTD RepORT – Issue 2 201528 ICAO MRTD RepORT – Issue 2 2015Over the course of the three most recent Public Key Directory (PKD) Board meetings, which took place in March and October 2014 and in March 2015, the PKD Board worked on three major items that will influence the future development and operation of the ICAO PKD. These steps forward impact the Organization, Border Control Agencies and the ICAO Master List. ORgANIzATION According to the Memorandum of Understanding (MOU), the PKD Board is tasked with the following major functions: ■■responsible for overseeing PKD operations and is the responsible management body; ■■responsible for setting the budget and has oversight over the finances; and ■■addresses issues related to the implementation of the PKD and set its Rules of Procedure as required. THe ICAO puBLIC Key DIReCTORy (pKD): ReCenT CHAnges AnD DeVeLOpMenTs THAT ARe pAVIng THe WAy FOR THe FuTuRe pKD upDATeAbOuT ROMAN VANeK Upon graduating with a law degree from the University of Fribourg, he joined the Swiss Federal Administration where he has held various positions. Today, he is the Chief of the Division Identity Documents & Special Tasks and is responsible for the Swiss Passport and the Identity Card. In this function, he is the Representative of Switzerland at the ICAO TAG/MRTD, the Article 6 Committee of the European Commission and a Participant at ICAO NTWG meetings. In May 2012, he became Chairman of the ICAO PKD Board. The PKD BoardAs participation continues to grow, operation of the PKD Service has become more demanding. Greater time and resources should be allocated to the oversight of PKD operations and should allow for detailed discussions with the PKD Operator on all operational issues. Furthermore, the PKD Board should be directing more focus on strategic development and setting future goals, rather than managing the day-to-day administration. With this perspective in mind, ICAO PKD Participants changed the applicable rules of procedure to introduce a PKD Executive Body (effective 1 January 2016). At the second PKD Board Meeting of 2015, which will take place before the ICAO Symposium 13 to 14 (half day) October 2015, three PKD Board Members will be elected to serve for two-year terms as PKD Executive Body (EB) Members. The PKD Board Chairperson, the International Standards Organization (ISO), the ICAO Secretariat, the PKD Operator and experts invited by the Chairman will participate in EB meetings. The mandate of the EB will include the following tasks: ■■discuss and evaluate PKD technical issues with the operator; ■■exercise oversight over the operator (check reports, track mandates and projects); ■■prepare policy and strategy decisions of the Board; ■■prepare financial reports for the Board, check and approve intermediate financial statements; ■■report its work to the PKD Board; ■■follow technical and other developments in PKD/PKI matters and liaise with the ICAO NTWG and ICBWG as well as with ICAO; and ■■execute the mandates given to it by the PKD Board.bORDeR eNgAgeMeNT STRATegYSince ICAO PKD operations began in 2006, the system has been running smoothly and the integration of new participants and uploading of new certificates has been managed without difficulty. Though the vast majority of PKD participants are represented by their respective Passport Issuing Authorities, the ICAO PKD Board acknowledges that broader involvement of Border Control Agencies is required, since they are the front line users of this system and the important information it contains. To reach this goal, Canada volunteered to lead the effort in developing a Border Engagement Strategy. This Strategy is intended to develop tools and resources for use by existing and future PKD participants; to increase their understanding of the PKD and to engage with their respective domestic partners on the value of participation in the PKD and conducting ePassport validation. For this purpose, different work items have been defined, such as:■■an information paper on the benefits of ePassport validation; ■■a practical roadmap for PKD-based ePassport validation and a brief, simple description of National PKD Systems; ■■guidance material on how to interpret different reading results from ePassport inspection systems; and ■■a review of the ICAO PKD website.These work items will be addressed together with the NTWG, ICBWG and ISO over the next couple of months. Additionally, the PKD Board wishes to continue organizing ICAO PKD Borders Days events, which bring together officials from border control authorities. The first Borders Days event took place in October 2012 in Windsor (UK) while the second took place in October 2014 in Oslo (Norway). The next PKD Borders Days event is expected to be organized in October 2016 alongside the ICAO PKD Board Meeting. The PKD Board is looking to organize the next event in a region that is easily accessible for as many interested Border Control Agencies as possible. The intent of PKD Borders Day is to give Border Control Agencies the opportunity to learn from current users of the ICAO PKD about their experiences and the benefits they get from it. It also provides a venue for open debate on practical questions and problems others have faced. ICAO MASTeR lISTThe ICAO PKD was established to support a globally interoperable system for eMRTD authentication that would facilitate travel across borders while also improving security. At the 20th ICAO PKD Board Meeting, ICAO PKD Participants agreed to include an ICAO Master List in the ICAO PKD. This new service will further support and advance the security and facilitation benefits of the ICAO PKD. epassport basicsThe digital signature on the chip of an ePassport is supported by a chain of digital certificates. These certificates can be used to verify that the ePassport chip is authentic and has not been tampered with. In basic terms, the following information is required to verify the digital signature:■■Country Signing Certificate Authority (CSCA) Certificate, ■■Document Signer Certificate (DSC),■■Certificate Revocation Lists (CRLs).pKD upDATe ICAO MRTD RepORT – Issue 2 2015 29The ICAO pKD was established to support a globally interoperable system for eMRTD authentication that would facilitate travel across borders while also improving security.XXX30 ICAO MRTD RepORT – Issue 2 2015Since the bilateral exchange of this data between all ePassport issuing States would be highly inefficient and potentially error-prone, ICAO established the PKD so that participating States could exchange certain certificates. States and other authorities (like the UN) that issue ePassports and participate in the ICAO PKD upload their respective DSCs and CRLs to the ICAO PKD directly. In contrast, CSCA Certificates, which are the trust root or trust anchor, are distributed via two methods: diplomatic bilateral exchange, or through CSCA Master Lists (explained below). Many States have found it challenging to acquire CSCA Certificates through bilateral exchange and have expressed interest in a Master List compiled and published by ICAO.What is a Master list?A Master List is a list of CSCA certificates that have been produced and digitally signed by an issuing State. In simple terms, a PKD participant may bilaterally exchange CSCA certificates with a number of other States, authenticate the certificates, then assemble a list and sign it with its national Master List signing certificate. The list containing all the CSCAs that the State trusts is called a Master List and can be uploaded to the ICAO PKD. This Master List can then be downloaded from the ICAO PKD by others who trust the country that has issued the Master List and wish to obtain those CSCA certificates. The publication of a Master List enables other receiving States to obtain a set of CSCA certificates from a single source (the Master List issuer), rather than undertake direct bilateral exchange with each of the Issuing Authorities or organizations represented on that list. The greater the number of Master Lists available the better, because this allows those who download the lists to compare the contents against other lists. To facilitate access to CSCA certificates, many States have expressed an interest in a Master List compiled, issued and signed by ICAO. As a UN Organization, ICAO has contacts with governments and authorities worldwide; therefore, ICAO is well positioned to collect CSCAs.Since the ICAO PKD was established to support the global interoperability of ePassport validation by acting as a central broker to manage the exchange of DSC and CRL, and because ePassport validation cannot be conducted without the accompanying CSCA certificates, the publication of an ICAO Master List through the ICAO PKD is a logical step. It will provide receiving States with a “one-stop shop” for all the information needed for ePassport validation. Next StepsAt the 21st PKD Board Meeting, the final decisions regarding the ICAO Master List were made. It was agreed that, once the ICAO Master List is implemented, the ICAO Secretariat, which is assisting the ICAO PKD Board, will reach out to ICAO Member States and other issuing entities to collect as many CSCAs as possible. These CSCAs will be included in the ICAO Master List only after they have undergone defined and detailed procedures and have been declared trustworthy. The access to the ICAO Master List shall be public and free of charge. However, States and Issuing Authorities should join the ICAO PKD rather than relying on the ICAO Master List. As ICAO PKD Participants, they benefit from support and a service/access guarantee according to the agreement with the operator, benefit from additional services such as conformity testing of certificates and access to the most recent information. ICAO PKD operations will be subject to regular audits and certification through an accredited, independent third party. The same procedure will apply to CSCA link certificates that are also part of the ICAO PKD. As of January 2016, a new operational contract will govern PKD operations. The work on the ICAO Master List will begin in 2016 and will hopefully result in the publication of the first ICAO Master List soon afterwards. 30 ICAO MRTD RepORT – Issue 2 2015The publication of a Master List enables other receiving states to obtain a set of CsCA certificates from a single source (the Master List issuer), rather than undertake direct bilateral exchange with each of the Issuing Authorities or organizations represented on that list.pKD upDATeXXX ICAO MRTD RepORT – Issue 2 2015 31pKD CeReMOnIesThe Country Signing Certificate Authority (CSCA) Certificate Import Ceremony serves to formalize State active participation in the ICAO Public Key Directory (PKD). The certificate permits the validation by border officials of Document Signer Certificates and the Document Signer Public Key included on ePassport travel documents. Officials can also use the Certificate to validate whether an electronic travel document was issued by a competent authority, as well as confirm if its data has been altered in any way subsequent to its issuance by that authority. pKD IMpORT CeReMOnIes Ukraine imported its CSCA in the PKD on 5 January 2015. In attendance were Mr. Maksym Sokoliuk, Deputy Director for Documents Personalization State Enterprise "Poligraph Combine "UKRAINA" for Securities Production" and Ms. Christiane DerMarkar, the ICAO PKD Officer. On 19 February 2015, Qatar imported the State’s Country Signing Certificate Authority (CSCA) or “public key” into the secure facilities at the ICAO Public Key Directory (PKD) operations center. The Import Ceremony was held in the presence of (from left to right) Mr. Abdulrahman Ali AL-Malki, Associate Director, General Directorate of Information Systems of the Ministry of Interior of Qatar, Ms. Christiane DerMarkar, the ICAO PKD Officer, Mr. Abdulla Al-Buainain, Director of the Department of Citizenship and Travel Documents, and Mr. Ahmed K. Alhamar, Assistant Director of Technical Affairs Department, in order to testify that due diligence has been followed and to safeguard the integrity of the certificate delivered to ICAO. 32 ICAO MRTD RepORT – Issue 2 2015ICAO’s Implementation and Capacity building Working group (ICbWg) has assisted Member States with their identity management programmes since its formation in 2008. The ICbWg continues to support passport issuing authorities in their efforts to produce globally interoperable, machine readable passports (MRps) in accordance with the internationally recognized technical standard known as Doc 9303.As part of its mandate, the ICbWg has reviewed numerous cases of suspected ‘non-compliant’ MRps whereby the machine readable data could not be processed accurately by border management systems. The ICbWg has also provided assistance to several Member States to ensure their compliance with the Standards. While many issuing authorities have, or are introducing epassports, many compliance issues occur between MRps and epassports.This article highlights the more common machine readability issues investigated by the ICbWg, and includes recommendations that will ensure Member States issue globally interoperable and compliant passports.COMplIANCe WITH DOC 9303: DOeS IT MATTeR?Travellers have come to expect that their machine readable passport (MRP) will simply work when travelling abroad – just as their cellular phones and credit cards do. The globally interoperable MRP should facilitate swift passage through manned immigration checkpoints, as well as the new generation of self-clearance border gates. Since basic technical standards have been prevalent on a global scale for more than three decades, this is a reasonable expectation.However, immigration officials routinely encounter legitimate MRPs that cannot be read correctly at border crossings. When this does occur, the official must determine whether the issue is a simple reading error or indicative of a fraudulent attack. In the worst case scenario, the traveller presenting a legitimate document may be delayed, detained and/or forced to return to their point of origin at their own expense. This article explores the common readability issues encountered at the border, and identifies the basic steps that issuing authorities may consider to ensure interoperability.SIMple MISTAKeS, glObAl IMpACTThe ICBWG has reviewed dozens of suspected non-compliant MRPs over the past seven years. Within this article, the term ‘non-compliant’ refers to any MRP (including ePassports) containing a deficiency that interferes with the accurate recognition of its machine readable data. The majority of confirmed cases were attributed to errors within the personalization system rather than physical deficiencies of the passport (such as improper materials and/or construction). Confirmed cases involving personalization typically fall under one or more of the following categories:1. non-compliant data page layout;2. non-compliant Machine Readable zone (MRz) formatting; and3. defects caused by personalization hardware.Is yOuR pAsspORT COMpLIAnT?pAsspORT COMpLIAnCeAbOuT DWIgHT MACMANuS He has more than 20 years of experience in the field of identification management with expertise in secure document design and materials, issuance systems, reader technology and border management systems. As a member of ISO SC17, he has been an active contributor to many ICAO working groups, including the Implementation and Capacity Building Working Group (ICBWG). He currently holds the position of Director, Travel Applications with the Canadian Bank Note Company Limited, based in Ottawa, Canada. ICAO MRTD RepORT – Issue 2 2015 33#1 – Non-compliant data page layoutThe most common issue pertains to the layout of the passport’s data page. The data page is separated into two principal areas: the Visual Inspection Zone (VIZ) and the Machine Readable Zone (MRZ). The layout of the VIZ is designed to be human-readable, and may include different data elements to accommodate the diverse requirements of issuing States. VIZ elements must not interfere with the MRZ. In contrast, the MRZ is reserved exclusively for the two machine readable data lines, which must be located within a precise area of the data page. Restrictive tolerances ensure that passport reading devices can accurately and efficiently locate and extract the data from the MRP, a step that facilitates the inspection process. The ICBWG examined several cases where the VIZ elements crossed into the MRZ due to flawed printing layouts within the personalization systems. Figure 1 shows an example of a personalization system that was configured to print a VIZ element within the MRZ. Once the passport reading device attempts to scan the MRZ lines, it may be unable to locate the data lines or misrecognize the characters owing to interference from the VIZ element. The second common non-compliant layout error involves the calibration of personalization equipment. There are numerous cases where the personalization of the entire data page (VIZ and MRZ) has drifted from its optimal position, resulting in the MRZ data lines being misaligned or printed too close to the edges of the data page (Figure 2). In these cases, the passport reading device may not distinguish the characters that are adjacent to the edge. #2 – Non-compliant MRz formatting The second category involves the formatting of the two machine readable data lines contained within the MRZ. Doc 9303 provides a highly prescriptive sequence (shown in Figure 3) of how each data element must be configured within each line. Formatting errors are often less obvious and not easily detected without experience and specialized tools. More importantly, incorrect formatting can have a significant impact on how the data captured from the MRP will be processed by a Border Management System (BMS), and in turn, how the immigration official will assess any anomalies. The ICBWG investigated and confirmed a range of MRZ formatting errors including:■■incorrect font type and/or size; ■■non-existing ISO country code; ■■non-existing document type; ■■incorrect check digits; ■■incorrect number of characters per line; ■■inconsistent data between the VIZ and MRZ; and■■incorrect structure of the MRZ lines.Two recent cases best exemplify the impact of formatting errors.In Figure 4, the issuing authority opted to use an unsanctioned 3-digit country code within the MRZ, instead of their globally recognized code as defined under ISO 3166. The unsanctioned country code was known to trigger alerts in foreign immigration systems.A second case involved the incorrectly calculated ‘check digit’ contained within the MRP. A check digit is a mathematically generated number, based on the preceding alpha-numeric field(s). An MRP contains five separate check digits, including a final composite number. Check digit verifications are also routinely used in border systems as part of the normal inspection process. pAsspORT COMpLIAnCeFigure 1: The red line indicates the top of the MRZ. Note the bearer’s signature has entered the MRZ and is close to the upper machine readable line.Figure 3: Appendix B in Doc 9303, Part 4 describes the mandatory formatting of the machine readable lines.Figure 2: The yellow boxes outline the optimal position of the data lines. This MRP was printed on the edge of the data page.Figure 4: The 3-digit country codes are based on ISO 3166. This MRP contained a non-existent code.In this specific case, the personalization system applied incorrect composite check digits to MRPs and the documents were then issued. The unwitting bearers of those legitimately issued MRPs presented the documents for inspection upon arrival at a foreign border. The check digit failure triggered alerts within the foreign border system, yet documents appeared normal under visible and infrared illumination (Figure 5). It was reported that the bearers of those documents were temporarily detained and ultimately refused entry into the country.#3 – Defects caused by personalization hardware While the former two categories were specific to system (software) configuration issues, the final category relates to the defects introduced by the personalization equipment. Print quality issues, such as the smudging, character defects or other distortions within the data lines, are often obvious and should be detected through a basic visual inspection and system-based checks and then ultimately rejected. The ICBWG has reviewed several cases where MRPs contained defects caused by equipment, yet those documents were still issued by the State, despite the presence of obvious flaws. Figure 6 was captured from an MRP where the personalization equipment encountered a malfunction resulting in several data elements becoming illegible. The MRP data could not be processed correctly by a a Border Management System (BMS).Figure 7 is an example where a personalization device abruptly cut off the last characters of each data line within the MRP. This flaw will impede the accurate recognition of the MRZ, including the verification of the composite check digit.AVOIDINg THe MISTAKeSThe previous section highlighted the most common non-compliance and interoperability issues examined by the ICBWG. Issuing authorities can avoid making similar mistakes by implementing the following steps during a passport programme’s lifecycle:1. Design stage: planning for interoperabilityThis year, several States will introduce new or upgraded versions of their MRPs and some of them will be configured as ePassports. All new MRP and ePassport projects should include an ICAO-compliance evaluation as part of the overall plan and schedule. The machine readable attributes should be validated against Doc 9303 prior to issuance of the first MRP. Testing may be conducted through in-house experts and/or contracting to independent third-party assessors equipped with appropriate tools. Several States have even adopted a practice of asking friendly nations to test pre-production MRPs as part of their due diligence. 2. production stage: Develop a culture of quality assuranceThe second step involves the introduction of a rigorous quality assurance (QA) programme deployed at all locations where MRPs are personalized, including embassies and consulates. The QA programme should not be limited to technology alone. Staff should receive training and develop an appropriate level of awareness of the Standards. In each of the aforementioned examples, a properly designed QA plan, coupled with verification technology, could have easily detected issues and prevented non-compliant MRPs from entering circulation. 3. Standards review: Stay informedFinally, the Standards are updated and captured in the 7th Edition of Doc 9303. Issuing authorities are encouraged to keep up-to-date, as those changes may affect the compliance of their current MRPs. ClOSINg ReMARKSThe quality and compliance of MRPs has improved significantly over the past five years owing to a number of factors, including the April 2010 deadline for MRP-only issuance, and the upcoming November 2015 deadline when handwritten passports must be out of circulation. The widespread introduction of electronic MRPs (ePassports) has also raised awareness of the technical standards, and generally improved the overall compliance level of documents entering circulation. Nonetheless, cases of non-compliance are routinely encountered, which impedes facilitation and brings inconvenience to both the traveller and immigration authorities alike. The cases of non-compliance described in this article were attributed to errors in the personalization process and can be corrected with minimal effort. Furthermore, an ICAO-compliance check prior to launching a new or upgraded MRP, coupled with a proactive QA programme, can prevent future deviations from occurring. The ICBWG will continue to investigate cases of suspected non-compliance. Should you be aware of a questionable MRP, or have comments regarding this article, enquiries may be directed to the ICAO TRIP Programme office at fal@icao.int. pAsspORT COMpLIAnCe34 ICAO MRTD RepORT – Issue 2 2015Figure 5: The issuing system applied an incorrect check digit to this MRP, triggering alerts in border management systems.Figure 6: A printer malfunction has rendered several characters as unrecognizable.Figure 7: This ePassport has partially printed characters in both data lines.PUB36 ICAO MRTD RepORT – Issue 2 2015ICBWg upDATeSince it was formed in 2008, the Implementation and Capacity Building Working Group (ICBWG) has conducted meetings in various parts of the world - from Botswana to Brazil. The Group provides guidance and expert advice to States and assists the ICAO Traveller Identification Programme (TRIP) in meeting its strategic objectives by improving facilitation and enhancing global aviation security. In May 2015, the ICBWG made its first foray into the Pacific Islands with the Government of Samoa hosting the meeting in its capital, Apia. The meeting further extended the network and reach of the ICBWG. Building on the spirit of collaboration and sharing of information and knowledge remains a hallmark of the Group. bACKgROuNDIn May 2008, the Technical Advisory Group for Machine Readable Travel Documents (TAG/MRTD) approved the formation and terms of reference for the ICBWG, electing David Philp (New Zealand) as Chair - a position he still holds today. The ICWBG is made up of representatives from government, international organizations, ISO experts and invited consultants, and was formed to help the Secretariat meet the strategic objectives of its MRTD programme.At the Group's inception, the April 2010 deadline for machine readable passports was fast approaching, and many States were rushing to implement ePassports and biometric solutions. The ICBWG found its focus immediately, providing experts to undertake in-country assessments and delivering advisory assistance to States that were grappling with the complexities of travel document issuance and identification management. An ACTIVITIes upDATe FROM THe IMpLeMenTATIOn AnD CApACITy BuILDIng WORKIng gROup (ICBWg)AbOuT DION CHAMbeRlAIN He is the Manager of Business Improvement and Support for Identity and Passport Services for the Department of Internal Affairs in New Zealand. He has been the Secretary of the ICBWG since its inception in 2008. Contact: icbwg@icao.intICBWG Group Photo ICAO MRTD RepORT – Issue 2 2015 37 ICBWg upDATeFORMATIVe DOCuMeNTSIn the early years, the ICBWG developed and finalized what has become its cornerstone document: the Guide for Assessing the Security of Handling and Issuance of Travel Documents. To date, the Guide has been used for expert assessments in over 15 States, and is the most important resource available to issuing authorities looking to identify and address areas of risk in their operations. At its second meeting in Tavira, Portugal (2009), the ICBWG agreed on its strategic outcomes and established a strategic framework for guiding the Group's activities and prioritizing initiatives in order to move towards ICAO's goal of an efficient, safe and secure aviation sector. The ICBWG's current outcome framework, as articulated in its Business Plan (2014-2016), remains almost unchanged from the original, and is designed to encompass the five key elements of ICAO TRIP (Evidence of Identity, MRTDs, Document Issuance and Control, Inspection Systems and Tools, and Interoperable Applications).The ICBWG Chair is keen to ensure the Working Group continues to take an active role in developing the content and direction of the TRIP Strategy. The Group is also looking forward to providing more input into ICAO training content. To enable the ICBWG to achieve its goals, there is a clear need to develop the Group’s communications capability. Broadening the expertise to include more representation from the Border and Civil Registration sectors is also critical if the Group is to be successful. CuRReNT WORKIn addition to supporting ICAO seminars, symposia and assistance missions, the ICBWG maintains an extensive work programme, endorsed by the TAG that is focused on building tools and resources that increase State knowledge and capabilities. These include:■■the development of a formal ICAO mechanism to assess compliance with Doc 9303 specifications; ■■further development work on the Guide for Assessing the Security of Handling and Issuance of Travel Documents; ■■a review of the Guidance on Evidence of Identification; ■■supporting States using the Guide for Issuing Machine Readable Convention Travel Documents for Refugees and Stateless Persons; ■■developing guidance on procurement of MRTD-related systems; ■■Guide for the Circulation of Specimen Travel Documents; and ■■the development of a dedicated web database sub-portal, Information for Travel Document and Border Control (IFTBC), which will contain up-to-date information about States’ travel documents and border control. ICBWg OuTCOMes FRAMeWORKICAO has up-to-date information on States in relation to travel documents and border controlStates establish and maintain secure and robust issuance systems and processesStates routinely read and validate MRTDs (including ePassports) at BorderStates have the guidance support and expertise to effectively establish and authenticate identityStates have the knowledge and strategic capability to design, procure and implement new technologies and processesStates issue MRTDs (including ePassports) that comply with ICAO SARPsHolistic Identification Management251634Next >