EACP

European Aviation Common Public Key Infrastructure (EACP)

THIS IS PART OF

What is a Public Key Infrastructure (PKI)? What is a digital certificate?

A Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates.

A digital certificate is a file digitally signed by a trusted Certification Authority which attests to the binding of a public key with an identity (individual or organization) owning the corresponding private key.

A Certification Authority is a Trusted Third Party Authority responsible for issuing, maintaining & validating digital certificates, by following well established rules, policies & procedures as set forth by PKI standards and best practices.

What is EACP?

The European Aviation Common PKI (EACP) is a service tailored to address the European aviation stakeholder’ needs in term of cybersecurity and to comply with the Commission Implementing Regulation (EU) 2021/116- Common Project 1 (CP1). CP1 requires the creation of a Common Public Key Infrastructure (PKI), which is used in signing, emitting and maintaining certificates and revocation lists used in inter-stakeholder communication for operational purposes, and for providing interoperability between eligible stakeholders having a Local PKI.

Setting up a cyber security trust framework is a pre-requisite to ensure that the benefits of providing a given common cyber security service will not be impaired by the access to this service by any entity. EUROCONTROL naturally and by convention offers such trust framework to the aviation entities within its Member States, Comprehensive Agreement States plus Iceland.

EACP is composed of two aspects:

  1. A cyber Trust Framework established as part of the NDTECH/IMT/CYBERG group.
    • The EACP Trust Framework will act in accordance with the procedures and eligibility criteria managed by the CYBERG.
  2. The provision of PKI services to the EACP users.
    • The EACP consists in procuring Commercial Off-The-Shelf digital certificates, using a PKI provider selected via a Call For Tenders procurement procedure launched by EUROCONTROL.
    • The management of PKI “interoperability”: by publishing a Certificate Trust List (CTL).

EACP will provide the following PKI services:

  1. Digital Certificates:
    • provide various certificate types derived from the user needs for building EACP use cases;
    • implement the different certificate provisioning protocols: http-based interface, ACME (Automated Certificate Management Environment), SCEP (Simple Certificate Enrollment Protocol), REST API (REpresentational State Transfer Application Programming Interface), and bulk;
    • configure the revocation checking services: Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP);
    • provide the repository(ies) for certificate and CRL publication.
  2. Registration Authority:
    • provide the technical and procedural means to support the role of Registration Authority (RA) fulfilled by EUROCONTROL;
    • support delegating Registration Authority activities to some EACP members such that they act as a Local Registration Authority (LRA)
  3. Interoperability:
    • assess the eligibility of a local PKI, candidate of a EACP Certificate Trust List (CTL) by either validating an official PKI audit certificate, or reviewing the result and report of an internal PKI assessment or conducting a PKI assessment by EUROCONTROL using the EACP assessment framework. More information is detailed in the document “EACP criteria and methodology for interoperability” which can be requested by contacting [email protected].
    • digitally sign and publish a CTL made of eligible and trusted Certification Authorities (EACP itself and eligible Local PKIs).

Procurement is made by/and in the name of EUROCONTROL in accordance with the EUROCONTROL Contract Regulations, to support the provision of PKI services in order to procure digital certificates and to support the Certificate Trust List (CTL) management. EACP users will be able to use PKI services from the same contract, under an appropriate agreement between EUROCONTROL and EACP users (users of digital certificates, CTL or Local Registration Authority (LRA).

map of functionalities of EACP PKI

Why EACP?

The Commission Implementing Regulation (EU) 2021/116 of 1 February 2021 lays down requirements for the Common Project One and more specifically, in Annex thereto, section 5.1.2 the system requirements, specifying that “Stakeholders must ensure that all SWIM yellow profile technical infrastructure services can make use of the common Public Key Infrastructure (PKI) when it becomes operational in order to achieve the cyber security objectives appropriate for the services.”

What is the aim of EACP?

  • To facilitate the “interoperability” (cross recognition) of digital certificates by providing a single trust reference (list of trusted certification authorities issuing digital certificates) for all European aviation stakeholders.
  • To provide a cost-effective solution for EUROCONTROL (much cheaper than through the current contractual framework) and to the aviation stakeholders of EUROCONTROL Member States and Comprehensive Agreements States plus Iceland.
  • To improve the cyber security of the European aviation by facilitating (technically and financially) the access to the use of digital certificates.

Who can benefit from EACP?

Currently, the EACP service is delivered to the aviation stakeholders of EUROCONTROL Member States and Comprehensive Agreements States.

However, there could be the need in a short future to provide this service to some trusted non-EUROCONTROL Member State entities. The adjective “trusted” is key as EACP includes a Trust Framework, meaning that only entities which will be recognised as trusted will be entitled to subscribe to this service.

How to become a user of EACP?

Contact us at [email protected] to initiate the EACP eligibility procedure.

How to use EACP? What changes are needed in your SWIM services and other systems, services, applications?

If you, SWIM Service Providers and Consumers, need guidance to support the use and integration of the European Aviation Common PKI into your systems, to raise awareness about challenges and constraints you may encounter and to get informed about the potential changes that need to be made to your systems to use EACP, please consult the guide below.

Most of the guidance apply to any system, service, application intending to use EACP.

European Aviation Common PKI
Guidance to SWIM Providers and Consumers

How to get a Local PKI recognised as trusted by EACP?

If a stakeholder intends to use its Local PKI and get it “interoperable” (recognised as trusted) with EACP, please contact EUROCONTROL ([email protected]) in order to initiate the assessment.

Once assessed as eligible, the Local PKI CA will appear in the EACP Certificate Trust List (CTL).

This assessment (initial and continuous) is subject to a fee to be paid to EUROCONTROL.

How to access to the EACP technical documentation?

Certificate Policy (CP), Certification Practices Statement (CPS) and PKI Disclosure Statements (PDS) can be found here: https://repo.harica.gr/procedures.php

Please contact us if you wish to learn more or have any inquiries about the European Aviation Common Public Key Infrastructure (EACP).