Steps

Establish a Basic Access Control (BAC) or PACE channel to the chip using the MRZ-derived keys (Kenc, Kmac)
Read Data Group 1 (DG1, MRZ data) and Data Group 2 (DG2, face image) using SELECT FILE and READ BINARY APDUs
Read the Document Security Object (SOD) which contains the signed hash manifest and the Document Signer Certificate (DSC)
Verify the DSC chain up to the Country Signing CA (CSCA) certificate obtained from the ICAO PKD or the issuing state's trust anchor
Hash each DG using the algorithm stated in the SOD and compare against the signed hashes to confirm passive authentication

Known gotchas

Active Authentication (AA) proves chip originality but does not prove the chip belongs to the presented document — use Chip Authentication (CA) instead where supported
CSCA certificates must be fetched out-of-band from the ICAO PKD master list; do not trust DSC self-chains
Some states issue chips that advertise PACE but fall back to BAC — implement both handshakes

Implement OCPI 2.2.1 token authorization flow between a CPO and an eMSP so RFID tokens can be validated in real time at a charge point

evroaming.org · 6 steps · unrated

Implement device attestation using X.509 certificates with a Hardware Security Module (HSM) binding

iot-security · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Perform NFC chip reading of an ePassport and verify the active authentication and passive authentication certificates per ICAO 9303 Part 11

Steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes