💾 Archived View for notes.nicfab.eu › en › gemlogen › 2023 › 2023-02-20-digital-identity_en.gmi captured on 2023-05-24 at 17:44:48. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-03-20)
-=-=-=-=-=-=-
The topic of digital identity is broad and has involved intense debate over the past few years with the production of numerous contributions.
In Europe, the
better known as eIDAS 2, was published in June 2021.
This proposed regulation is an evolution of the EU Regulation 910/2014, eIDAS (electronic IDentification, Authentic and trust Services) and stipulates that by 2024 every EU member state will have to make a digital identity wallet (Digital Identity Wallet) available to every citizen who wants it.
The proposed eIDAS 2 regulation is still pending, and the 2024 target is ambitious.
However, daily, we are confronted with aspects related to digital identity, especially with the exchange of emails. We would like to know who our recipients are and ensure that we are the sender of our emails.
PEC (Posta Elettronica Certificata) exists in Italy, but with the REM (Registered Electronic Mail) project, it is proposed to create an international standard (see the document
Digital identity for emails is possible through the use of a S/MIME (Secure/Multipurpose Internet Mail Extensions) certificate defined by several technical documents of the IETF (Internet Engineering Task Force), among which we mention
The S/MIME certificate is issued by a Certification Authority and is usually chargeable because of its characteristics.
A good free solution is the Web Key Directory (WKD).
Web Key Directory refers to a protocol
the IETF has under review the draft of the latest version, which is dated 14/11/2022
by which OpenPGP public keys of email accounts that are uploaded to servers can be identified, circumventing the need for dedicated keyservers. The verification starts with an email address for which the search for the relevant public key is initiated through the HTTPS protocol.
The IETF document we just mentioned describes both the problem and the solution.
Typically OpenPGP is used for email encryption. It may take time to locate the correct public key for the recipient. One can refer to keyservers; sometimes, multiple keys may have been generated for an email address.
Therefore, the Web Key Directory can be configured on one's web server or through the
As noted above, the IETF mentioned above describes the solution, but a more precise document is available in the documents section of
More extensive guidance is available on the
In summary, if the email client is WKD-ready (we mean it has that feature), after typing the address, it will initiate the search and return the result confirming or not that a public key exists on the Web for that address.
Among email providers using WKD, it is worth mentioning
ProtonMail (as of November 2018)
and
As ProtonMail users, we performed tests with our email accounts for which WKD is active. At the message writing stage, when entering the recipient's email address, ProtonMail searches with the WKD protocol and adds a green padlock symbolizing the correct detection of the public key.
In this way, it is possible to exchange encrypted messages and simultaneously be sure of the existence of an email address.
We decided to set up our own WKD to provide more security and to make it easier to identify the public keys of our email addresses.
Currently, for emails from the nicfab.eu and fabiano.law domains, it is possible to "discover" the public key using WKD.
With the tool
it is possible to check whether the WKD system is active for a given email address.
You can verify our email address as follow.
From the Digital Terminal app, the following command (substitute email address as per standard):
gpg --locate-external-keys info-at-nicfab.eu.
You will find the public key in the response.
You can obtain the same result by typing the following command:
gpg --auto-key-locate clear,wkd --locate-external-keys info-at-nicfab.eu
Using the
Web Key Directory of Metacode tool
you obtain a URL for use with the next command.
To download the public key directly, however, you can use the following commands:
curl --tlsv1.3 -o nicfab.eu "https://openpgpkey.nicfab.eu/.well-known/openpgpkey/nicfab.eu/hu/mg6owx9w8c3ejg3tu31f4tha5n17d4rj?l=info"
or
wget --secure-protocol=TLSv1_3 --max-redirect=0 -O nicfab.eu "https://openpgpkey.nicfab.eu/.well-known/openpgpkey/nicfab.eu/hu/mg6owx9w8c3ejg3tu31f4tha5n17d4rj?l=info"
If this resource was helpful, you could contribute by
Or donate via
Stay tuned!