ICAO PKD LDIF File

Frequently Asked Questions, v3.0

Dated: 11th October 2010

Currently, an English version has been made available. Other language translations will be made
available on the same web-site in due course.

The International Civil Aviation Organization (ICAO) manages a Public Key Directory (PKD) which
contains the public keys of PKD Participants that issue electronic passports (e-Passport).

This document refers to the typical questions asked about the ICAO PKD LDIF file.

1) Who is the intended audience?

This system is intended for all agencies or companies that interact closely with
e-Passports/travel documents to verify identity, such as:

Border Control, Airlines/Travel Industry, Tourism Industry, Law Enforcement, States

evaluating future deployments and their vendors.

2) What is an e-Passport?
An e-Passport (or electronic passport) is just like an ordinary passport to be used as a travel
document, except that it also contains an electronic chip containing digital equivalent of the
holder’s identity. This holder information is both biographical (Name, DOB, etc.) as well as
biometric (digital photograph).
According to international agreements, an e-Passport is distinguished from normal passports
with a special symbol on the cover. This symbol is:

To protect its integrity, the digital data in the chip is digitally signed by the issuing country. A
corresponding “digital certificate” containing its public keys, is required to check the

This document can be downloaded from:

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 1
ICAO PKD FAQs – v3.0

integrity of the e-Passport. This “digital certificate” may be embedded in the electronic chip,
or distributed via a central mechanism by ICAO.

3) What is the ICAO PKD (Public Key Directory)?

To facilitate the distribution of the “digital certificates” that signed the e-Passports above,
ICAO has setup a central repository together with a system for their distribution worldwide.
This central repository contains the e-Passport signing digital certificates, also called
“Document Signer Certificates” (DSCs) and also a blacklist of compromised digital certificates
(those that cannot be used) called “Certificate Revocation Lists” (CRLs). It also contains CSCA
Master Lists, which are signed lists of CSCA Certificates used by the PKD Participants. This
central repository is called “ICAO PKD” (Public Key Directory).

4) What is LDIF?
LDIF stands for “LDAP Data Interchange Format”, and is a standard format used to export
and import data between offline systems, much like a .CSV or .XML file. LDIF formatted files
are especially useful in exchanging data between LDAP compliant directories.

5) What are the two separate LDIF files available for download?
There are two LDIF files available for download. The first is a collection of DSCs and CRLs that
have been verified by ICAO against the PKD Participant’s CSCA Certificates. This collection is
sufficient in most cases for verification of e-Passports. The second LDIF is a collection of used
CSCA Certificates published by the PKD Participants themselves. ICAO has not validated or
verified the CSCA Certificates within these Master Lists. However, the PKD validates the
signatures of uploaded Master Lists.

6) What do I need to use this LDIF file?

This LDIF file is used to digitally verify the e-Passport signature. Therefore, before using this
file, an understanding of the e-Passport digital data structure is mandatory. Here is a list of
capabilities that would be needed to use this LDIF file:
a. Public Key Infrastructure (PKI) and cryptography
b. e-Passport logical data groups
c. Directory protocols: X.500 and also Lightweight Directory Access Protocol (LDAP)
d. Application usage of cryptography and relevant standards such as X.509, PKCS#7,
ASN.1, RSA, SHA-1, SHA-256, ECC, DN, LDAP commands etc.

7) What is the significance of the “version” number of the file?

The LDIF file is updated as and when new certificates are created by PKD Participants. To
distinguish an updated file from an older one, a version number is assigned to each unique

This document can be downloaded from:

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 2
ICAO PKD FAQs – v3.0

collection of DSCs and CRLs. The Master List has a separate version number as well. This
version number is updated sequentially. Downloaders of this file are encouraged to
periodically update the file with the latest information available at the time.

8) How do I ensure that this LDIF file downloaded without errors?

The LDIF file is check-summed using SHA-1 from the ICAO PKD before being made available
for download. The checksum is created by calculating the message digest of the whole file
and hex-encoding the result to give a string of 40 characters, looking like:

3BC22E4E24CC422760AD6D83B4D3BFA8FC6BB43D

To check that the file was downloaded without errors, after receiving the complete file,
create another checksum using the same SHA-1 algorithm and hex encode the result, and
then go to the web-site: https://pkddownloadsg.icao.int/ICAO/pkdChksum.jsp or
https://pkddownloadth.icao.int/ICAO/pkdChksum.jsp to check the result against the same
version of the file downloaded. If the results are the same, the file was downloaded
successfully.

9) What is the specification for the entries in the LDIF file?

Please note that to understand the specifications, a high amount of technical proficiency in
LDAP and PKI, as well as a working knowledge of the e-Passport systems is needed.

A) DSC/CRL LDIF:

The LDIF file is organized as a directory tree, with the root of the tree at: “dc=data,
dc=pkdDownload”. Every PKD Participant that uploads to the PKD will be assigned a
directory, where all its uploaded DSCs and CRLs will be stored. For example, in case of
Singapore, the location assigned will be “c=SG, dc=data, dc=pkdDownload”. This point would
be the base DN under which all entries from Singapore would be stored.

There are two kinds of data that a client would need from the PKD; the certificates (DSC) and
the CRL.

a. Download DSC entry format

DSCs would be allocated an “o=Certificates” within the base DN of that state. The following
attributes of the DSC entry are available for download:

Objectclass inetOrgPerson (according to RFC27981) when uploading DSC.

Cn CSCA DN of the DSC. This is the DN of the issuer of the DSC and

1
RFC2798, “Definition of the inetOrgPerson LDAP Object Class”, http://www.ietf.org/rfc/rfc2798.txt

This document can be downloaded from:

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 3
ICAO PKD FAQs – v3.0

not the DSC DN. There are no whitespaces after each “,” in this
string.
Certificate Serial Number. This is the hex encoded x.509
Surname certificate serial number allocated to that certificate by the
CSCA when signing that certificate.
DER encoded binary file containing the full x.509 certificate
userCertificate
issued by the issuer (the Country Signing CA).

The final DN of the entry will consist of the ‘cn’ followed by the “+” character and then the
‘sn’.

For example, if an entry has the following details

cn: o=Passport Issuer, c=AG
sn: 0F4E2045
then, the entry DN is
dn: cn=o\=Passport Issuer\,c\=AG+sn=0F4E2045,o=Certificates,c=AG,
dc=data,dc=pkdDownload

According to MRTD specifications, a signed e-Passport would identify the signer by

minimally, identifying the signer’s CA DN and signer’s certificate serial number. It can
therefore be concluded that the minimum information based on which a particular DSC
needs to be searched from the PKD download, is the issuer (CSCA) DN and DSC serial
number. By constituting the CN and the SN of the entry from this information, it is ensured
that searches are optimized and entries can be found based on information available from
the e-Passport that needs to be verified.

b. Download CRL entry format

CRLs would be allocated an “o=CRLs” within the base DN of that country.

The following attributes of the CRL entry are available for download:
Objectclass cRLDistributionPoint (according to RFC22562).
The first six characters of the issuer
“SubjectKeyIdentifier” (hash of the CSCA public key)
Cn followed by symbol “_” and then the CSCA DN of the
CRL. This is the DN of the issuer of the CRL. There are
no whitespaces after each “,” in this DN.
DER encoded binary file containing the CRL issued by
certificateRevocationList
the issuer (the Country Signing CA).

For example, if the issuer DN is: “o=Passport Issuer,c=AG” and the “SubjectKeyIdentifier” of
the CA issuing that CRL is: FE457834AAF12C232CEFEF56121102BCD4567652, then that CRL’s
entry DN would be:
dn: cn=FE4578_o\=Passport Issuer\,c\=AG,o=CRLs,c=AG, dc=data,dc=pkdDownload

And the ‘cn’ of the entry is:

2
RFC2256, “A Summary of the X.500(96) User Schema for use with LDAPv3”,
http://www.ietf.org/rfc/rfc2256.txt

This document can be downloaded from:

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 4
ICAO PKD FAQs – v3.0

cn: FE4578_o=Passport Issuer,c=AG

By this method, CRLs issued by same issuer DNs but different public keys can be
distinguished by different entry DNs.

According to MRTD specifications, a signed e-Passport would identify the signer by

minimally, identifying the signer’s CA DN and signer’s certificate serial number. To check
revocation of that certificate, the CRL to be used will also be issued by the same CA. It can
therefore be concluded that the minimum information based on which a particular CRL
needs to be searched from the PKD download, is the issuer (CSCA) DN. By constituting the
CN of the CRL entry from this information, it is ensured that searches are optimized and
entries can be found based on information available from the e-Passports that need to be
verified.

B) CSCA Master List LDIF

The LDIF file is organized as a directory tree, with the root of the tree at: “dc=
dc=CSCAMasterList, dc=pkdDownload”. Every PKD Participant that uploads to the PKD will
be assigned a directory, where all its uploaded Master List will be stored. For example, in
case of Singapore, the location assigned will be “c=SG, dc=CSCAMasterList,
dc=pkdDownload”. This point would be the base DN under which Master List created by
Singapore would be stored.

Download MasterList entry format

The MasterList entry would be contained in an entry within the base DN of that country.

The following attributes of the MasterList entry will be available for download:
objectclass CscaMasterList (As defined above).

The first six characters of the issuer

“SubjectKeyIdentifier” (hash of the CSCA
cn public key) followed by symbol “_” and then
the CSCA DN of the MasterListSigner. There are
no whitespaces after each “,” in this DN.

sn will always be “1”

CscaMasterListData CSCAMasterList as signed Data Object.

For example, if the issuer DN is: “o=Passport Issuer,c=AG” and the “SubjectKeyIdentifier” of
the CSCA issuing the MasterList is: FE457834AAF12C232CEFEF56121102BCD4567652, then
that MasterList’s entry DN would be:
dn : cn=FE4578_o\=Passport Issuer\,c\=AG,c=AG, dc=CSCAMasterList,dc=pkdDownload

This document can be downloaded from:

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 5
ICAO PKD FAQs – v3.0

And the ‘cn’ of the entry is:

cn : FE4578_o=Passport Issuer,c=AG

By this method, MasterLists issued by same issuer DNs but different public keys can be
distinguished by different entry DNs.

10) How do I use this LDIF file?

A) DSC/CRL LDIF:

The LDIF file contains DSCs (in objectClass “inetOrgPerson”, attribute “userCertificate”) and
CRLs (in objectClass “cRLDistributionPoint”, attribute “certificateRevocationList”). Both these
data items are binary data, which are Base64 encoded in the LDIF file.

The easiest method to use this data is to import this file into an LDAP directory. This would
ease the searching of the right DSC or CRL as the need arises. Any other process that extracts
this data can also be used to ensure availability of the data in a central system, such as a
database or shared storage.

Once the data has been extracted, the e-Passport verification mechanism can use this data
during the validation process. The e-Passport verification process is beyond the scope of this
document, and can be referenced separately from ICAO’s MRTD web-site.

B) CSCA Master List LDIF

The LDIF file contains MasterLists using the following schema:

Attribute:
'CscaMasterListData'

(1.2.702.0.1002.88.2 NAME 'CscaMasterListData'

DESC 'CSCA Master List Data'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9
SINGLE-VALUE
)

Structural objectclass:

'CscaMasterList'

(1.2.702.0.1002.88.1 NAME 'CscaMasterList'

DESC 'CSCA Master List'
SUP person
STRUCTURAL

This document can be downloaded from:

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 6
ICAO PKD FAQs – v3.0

MUST ( CscaMasterListData )
)

The process to extract the CSCA Certificates contained within the Master List is beyond the
scope of this document, and can be referenced separately from ICAO’s MRTD web-site.

11) Does the Master List issued by a PKD Participant, contain all the CSCA Certificates used by
that PKD Participant?

The Master List contains the complete list of CSCAs used by the PKD Participant.

This document can be downloaded from:

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp Page 7