Digital identity: the challenges
The topic of digital identity is broad and has involved intense debate over the past few years with the production of numerous contributions.
In Europe, the “proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards the establishment of a framework for a European digital identity”, better known as eIDAS 2, was published in June 2021.
This proposed regulation is an evolution of the EU Regulation 910/2014, eIDAS (electronic IDentification, Authentic and trust Services) and stipulates that by 2024 every EU member state will have to make a digital identity wallet (Digital Identity Wallet) available to every citizen who wants it.
The proposed eIDAS 2 regulation is still pending, and the 2024 target is ambitious.
However, daily, we are confronted with aspects related to digital identity, especially with the exchange of emails. We would like to know who our recipients are and ensure that we are the sender of our emails.
PEC (Posta Elettronica Certificata) exists in Italy, but with the REM (Registered Electronic Mail) project, it is proposed to create an international standard (see the document ETSI - EN 319 532-4).
Digital identity for emails is possible through the use of a S/MIME (Secure/Multipurpose Internet Mail Extensions) certificate defined by several technical documents of the IETF (Internet Engineering Task Force), among which we mention RFC 8551.
The S/MIME certificate is issued by a Certification Authority and is usually chargeable because of its characteristics.
A good free solution is the Web Key Directory (WKD).
Web Key Directory
Web Key Directory refers to a protocol (the IETF has under review the draft of the latest version, which is dated 14/11/2022) by which OpenPGP public keys of email accounts that are uploaded to servers can be identified, circumventing the need for dedicated keyservers. The verification starts with an email address for which the search for the relevant public key is initiated through the HTTPS protocol.
The IETF document we just mentioned describes both the problem and the solution.
Typically OpenPGP is used for email encryption. It may take time to locate the correct public key for the recipient. One can refer to keyservers; sometimes, multiple keys may have been generated for an email address.
Therefore, the Web Key Directory can be configured on one’s web server or through the WKD as a service is used.
As noted above, the IETF mentioned above describes the solution, but a more precise document is available in the documents section of Keyxoide.org.
More extensive guidance is available on the GnuPG wiki.
In summary, if the email client is WKD-ready (we mean it has that feature), after typing the address, it will initiate the search and return the result confirming or not that a public key exists on the Web for that address.
As ProtonMail users, we performed tests with our email accounts for which WKD is active. At the message writing stage, when entering the recipient’s email address, ProtonMail searches with the WKD protocol and adds a green padlock symbolizing the correct detection of the public key.
In this way, it is possible to exchange encrypted messages and simultaneously be sure of the existence of an email address.
We decided to set up our own WKD to provide more security and to make it easier to identify the public keys of our email addresses.
Currently, for emails from the nicfab.eu and fabiano.law domains, it is possible to “discover” the public key using WKD.
With the tool Web Key Directory by Metacode, it is possible to check whether the WKD system is active for a given email address.
You can verify our email address
Our GnuPG Public Key
From the Digital Terminal app, the following command (substitute email address as per standard):
gpg --locate-external-keys info-at-nicfab.eu.
You will find the public key in the response.
You can obtain the same result by typing the following command:
gpg --auto-key-locate clear,wkd --locate-external-keys info-at-nicfab.eu
You can download the public key directly by using the following commands (you can obtain the URL with the tool Web Key Directory by Metacode inputting the email address):
curl --tlsv1.3 -o nicfab.eu "https://openpgpkey.nicfab.eu/.well-known/openpgpkey/nicfab.eu/hu/mg6owx9w8c3ejg3tu31f4tha5n17d4rj?l=info"
wget --secure-protocol=TLSv1_3 --max-redirect=0 -O nicfab.eu "https://openpgpkey.nicfab.eu/.well-known/openpgpkey/nicfab.eu/hu/mg6owx9w8c3ejg3tu31f4tha5n17d4rj?l=info"
Credits duxsco/duxsco for the commands above.
If this resource was helpful, you could contribute by
Or donate via
Follow us on Mastodon