This section describes the NPKD workflow operations and the different object states.

The NPKD default workflow is to download the latest objects from ICAO PKD and import the objects to the database. Depending on validity checks, the objects are then published to Local LDAP servers and made available for download of inspection systems. Additionally, objects created by the home country can be uploaded to ICAO PKD.

The validation checks include signatures, CRL revocation, and time validity checks. The validation checks must be passed before an object is published. An object can also be marked as ignored by operator, which makes the object ignored for most operations. If an object, at any moment, fails a validation check or gets ignored by an operator, it will automatically be unpublished and will no longer be available for download for inspection systems.

Workflow operations

The following NPKD workflow operations are available:

  • Import: Imports an object to NPKD and sets its state to default. For more information, see Import section in Operations
  • Download: Downloads an object from ICAO PKD.
  • Upload: Uploads an object to ICAO PKD from NPKD.
  • Ignore: Unpublishes the object if it was published, and sets the state of the object to ignored.
  • Unignore: Sets the state of an object to default.
  • Publish: Sets the state of an object to published and publishes the object to local LDAP servers to be available for download for inspection systems.
  • Unpublish: Sets the state of an object to default and unpublishes the object from local LDAP servers which will make them unavailable for download for inspection systems
  • Create master list Signs the current master list content of selected CSCA certificates
  • Add to master list content operation on a CSCA certificate puts this certificate to master list content.
  • Remove from master list content operation on a CSCA certificate removes this certificate from master list content.
  • Save note: Adds a note in the database associated with this object.

Note that upload means adding an object to ICAO PKD, while publish means adding an object to local LDAP servers. Additionally, an object can be published and not added to one or more Local LDAP servers due to servers being disabled or having connection issues. An object marked as published but not present on any of the Local LDAP servers, or marked as unpublished but present on a Local LDAP server, the object is considered out of sync.

Workflow states

An object can have one of the following workflow states: default (not published and not ignored), published, or ignored.

  • Default state
    1. An object ends up in this state after the import, unpublish, or unignore operation.
    2. Objects in this state are not available through any external interface (Local LDAPs) to inspection systems.
    3. Objects in this state are searchable by default.
    4. Objects in this state are used in validity checks (CSCA certificates for the signature and CRL for revocation checks).
  • Published state
    1. An object ends up in this state after the publish operation.
    2. Objects in this state are available through any external interface (Local LDAPs) to inspection systems.
    3. Objects in this state are searchable by default.
    4. Objects in this state are used in validity checks (CSCA certificates for the signature and CRL for revocation checks).
  • Ignored state
    1. An object ends up in this state after the ignore operation.
    2. Objects in this state are not available through any external interface (Local LDAPs) to inspection systems.
    3. Objects in this state are not searchable by default.
    4. Objects in this state are not used in validity checks (CSCA certificates for the signature and CRL for revocation checks).
    5. Objects in this state can not be overwritten (CRLs, master and deviation lists).

Revocation information

In addition to the NPKD object states, NPKD collects and updates other revocation information about objects, but unlike object states, these do not affect NPKD operations.

For example, revocation check result is stored and updated with every CRL revocation check:

  • Unknown revocation check result is default state. It should not be possible to have an imported object with this result.
  • Disabled revocation check result is set to an object when the object is imported with disabled revocation check. Revocation check can be disabled with unchecking the Perform CRL revocation checks on import option in the General configuration. An object with this state behaves the same way as an object that has successfully passed the revocation check.
  • No CRL revocation check result is set to an object when NPKD could not find a CRL to perform a revocation check. The option Import certificate if there is no any CRL present in the General configuration has to be enabled to import an object when NPKD could not find a CRL. An object with this state behaves the same war as an object that has successfully passed the revocation check.
  • Not revoked revocation check result is set to an object when NPKD was able to perform successful CRL revocation check. NPKD compares the "next update" of the CRL used for revocation check and shows to user if CRL is outdated.
  • Revoked revocation check result is set to an object when NPKD has found CRL that has revoked this certificate. Revoked object are considered invalid and will get unpublished. In the case of revoked master/deviation list signer certificates, corresponding master/deviation list will get unpublished.