Passive Authentication (PA) aids in verifying the authenticity and integrity of the data found on the RF (radio frequency) chips of German identity documents.

When a electronic identity document is created, the data stored on its RF chip is digitally signed. For this purpose, a Document Signer certificate is used that is itself signed by a certificate from the Country Signing Certificate Authority (CSCA) (see also: Country Signing Certificate Authority) of the nation that issued the document. This certificate is available only to the entity that has been officially commissioned by the nation in question to manufacture such documents. The CSCA certificate represents the root of the CSCA public key infrastructure (see also: Public Key Infrastructure), which is a hierarchy for certificates that prove the integrity of the data on identity documents.

When an identity document is read, the Passive Authentication protocol verifies the signature of the data stored on the document's RF chip and traces it back to the corresponding CSCA certificate. This makes it possible to determine whether the data on the identity document's RF chip is genuine and was stored there by the officially commissioned document manufacturer in question.

If you are interested in further details of this procedure, please refer to Technical Guideline BSI TR-03110.