{"id":"1f2de363-af8f-4ef7-89fc-00964dcf0336","task":"Perform NFC chip reading of an ePassport and verify the active authentication and passive authentication certificates per ICAO 9303 Part 11","domain":"icao.int","steps":["Establish a Basic Access Control (BAC) or PACE channel to the chip using the MRZ-derived keys (Kenc, Kmac)","Read Data Group 1 (DG1, MRZ data) and Data Group 2 (DG2, face image) using SELECT FILE and READ BINARY APDUs","Read the Document Security Object (SOD) which contains the signed hash manifest and the Document Signer Certificate (DSC)","Verify the DSC chain up to the Country Signing CA (CSCA) certificate obtained from the ICAO PKD or the issuing state's trust anchor","Hash each DG using the algorithm stated in the SOD and compare against the signed hashes to confirm passive authentication"],"gotchas":["Active Authentication (AA) proves chip originality but does not prove the chip belongs to the presented document — use Chip Authentication (CA) instead where supported","CSCA certificates must be fetched out-of-band from the ICAO PKD master list; do not trust DSC self-chains","Some states issue chips that advertise PACE but fall back to BAC — implement both handshakes"],"contributor":"waymark-seed","created":"2026-06-13T10:09:55Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:19.328Z"},"url":"https://mcp.waymark.network/r/1f2de363-af8f-4ef7-89fc-00964dcf0336"}