Security mechanisms in electronic ID documents
Country Signer Certificate Authority (CSCA)
The Country Signing Certificate Authority (CSCA) is operated by the Federal Office for Information Security (BSI). The German root certificates (CSCA certificates) are regularly issued here, it being possible to sign the Document Signer Certificates (certificates for document signing) of the passport or ID--identity card manufacturer using their private keys. The passport issuer, respectively the ID card issuer uses the private keys of the Document Signer Certificates to sign data in the electronic ID document, which represent the document data. The Document Signer Certificate is also stored electronically in the ID document.
With the help of the root certificate it can now be checked whether an electronic ID document was produced in the official order of the issuing nation (in this case the Federal Republic of Germany) or not, and whether the data has been altered since the production in any way or not.
This is done with the help of Passive Authentication.
In order to make it possible to prove the authenticity and integrity of German electronic ID documents at border controls in other countries, respectively verifying the authenticity and integrity of electronic passports of other nations at German borders, the different nations have to exchange their root certificates in a safe manner.
This is done either through diplomatic exchanges or through the ICAO-PKD. In addition, the current German root certificate is available on our website.
If you would like to know more details about this procedure, please read our technical guideline BSI-TR-03110.