search
Ctrlk

OFAC & CSCA Auto-Updaters

Self Pass relies on two automated systems to keep verification data current: the OFAC sanctions list updater and the CSCA certificate tree updater. These run automatically and require no action from developers integrating Self Pass.

hashtag
OFAC Sanctions List Updater

The OFAC (Office of Foreign Assets Control) auto-updater keeps the on-chain sanctions Merkle tree synchronized with the latest US Treasury OFAC sanctions data. This enables Self Pass to perform real-time sanctions screening as part of the zero-knowledge proof generation process.

How it works:

  1. The updater fetches the latest OFAC sanctions data from the Self API

  2. Three separate Merkle trees are maintained for different matching strategies:

    • Passport number + nationality — exact document match

    • Name + date of birth — biographical match

    • Name + year of birth — broader biographical match

  3. The updated Merkle roots are submitted on-chain to the registry contract

  4. When users generate proofs with OFAC enabled, the circuit verifies non-inclusion in these trees

ID card verification uses a subset of these trees (skipping the passport-number tree).

hashtag
CSCA Certificate Tree Updater

The CSCA (Country Signing Certificate Authority) auto-updater maintains the Merkle tree of trusted certificate authority public keys used to validate passport signatures.

How it works:

  1. The updater fetches the latest certificates from the ICAO (International Civil Aviation Organization) masterlist

  2. Public keys are extracted and validated against known Subject Key Identifiers (SKIs)

  3. A Merkle tree is constructed from the validated public keys (~500 CSCAs, tree depth 12)

  4. The updated root is submitted on-chain

This ensures that newly issued or rotated country signing certificates (which typically cycle every 3-5 years) are recognized by the verification system. The tree supports permissionless leaf addition, meaning new certificates can be added by anyone.

hashtag
For Developers

These systems are transparent to developers integrating Self Pass. When you enable OFAC checking in your disclosure configuration (ofac: true), the proof generation and verification automatically use the latest sanctions data. Similarly, passport signature verification always uses the most current CSCA tree.

The updater scripts live in the Self Protocol contracts repositoryarrow-up-right.

Last updated