Passports, identity cards, residence permits and other official documents (such as driving-licenses) are often equipped with an electronic chip allowing strong authentication of the document and the bearer.
While official (travel) documents were historically equipped with various optical security features to enable authenticating the document as genuine, the International Civil Aviation Organisation (ICAO) has worked hard to promote the use of electronic authentication of travel documents.
Electronic authentication, technically called Passive Authentication (and possibly Active Authentication), relies on strong cryptographic techniques to guarantee that specific data was written to the chip only by the official issuing entity and that this data was not altered afterwards. The electronic authentication is performed by a computer system and can also be used by non-experts.
Passive Authentication uses a public Country Signing Certification Authority (CSCA) certificate which must be available and trusted from the issuing entity. These certificates contain no secret information and do not enable any access to sensitive chip data such as fingerprints. The trusted CSCA certificate only enables a secure electronic authentication of the document.
Collections of trusted CSCA certificates can be combined into a secure container file-structure called Masterlist. The Masterlist is cryptographically signed to prevent alteration. The ICAO Public Key Directory provides a means to share Masterlists. No secret information is stored in the Masterlist, it only contains public key information.
The European Commission would like to promote the use of electronic authentication (of any electronic document that supports this) by issuing a Schengen Masterlist of trusted CSCA certificates. The Commission actively tries to acquire new certificates which it shares with the Member States who in turn will validate the certificate as genuine. The Commission continuously updates the Schengen Masterlist with these newly validated CSCA certificates.
The Schengen Masterlist contains CSCA certificates validated by at least 3 Member States; it has no political message, value or connotation. The Schengen Masterlist may contain certificates which are not ICAO 9303 compliant.
The current Schengen TEST Masterlist is the result of a pilot project. This TEST Masterlist is cryptographically signed using a TEST certificate.
This TEST list can be used for testing and experience-gathering purposes. It should NOT be used to validate ePassports in an operational setting.
The Schengen TEST Masterlist can be downloaded as a zip file from this JRC web-site.
The Schengen Masterlist will in the future be cryptographically signed using the EU Laissez-Passer CSCA which can be found here.
Authenticating identity documents is not only linked to passports and border-control.
Police, carriers, hotels, car rental agencies, banks, notaries, financial service providers, all rely on some form of identity document which may well be an electronic document which supports electronic authentication.
To verify such documents, the corresponding certificates must be checked. Having a comprehensive list of such certificates – like the Schengen Masterlist – enables everybody, not just Governments, to verify such documents.