💾 Archived View for notes.nicfab.eu › en › gemlogen › 2023 › 2023-02-20-digital-identity_en.gmi captured on 2023-09-08 at 16:03:30. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-03-20)

🚧 View Differences

-=-=-=-=-=-=-

2023-02-20 - Digital identity: Web Key Directory as a possible solution

Digital identity: the challenges

The topic of digital identity is broad and has involved intense debate over the past few years with the production of numerous contributions.

In Europe, the

proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards the establishment of a framework for a European digital identity,

better known as eIDAS 2, was published in June 2021.

This proposed regulation is an evolution of the EU Regulation 910/2014, eIDAS (electronic IDentification, Authentic and trust Services) and stipulates that by 2024 every EU member state will have to make a digital identity wallet (Digital Identity Wallet) available to every citizen who wants it.

The proposed eIDAS 2 regulation is still pending, and the 2024 target is ambitious.

However, daily, we are confronted with aspects related to digital identity, especially with the exchange of emails. We would like to know who our recipients are and ensure that we are the sender of our emails.

PEC (Posta Elettronica Certificata) exists in Italy, but with the REM (Registered Electronic Mail) project, it is proposed to create an international standard (see the document

ETSI - EN 319 532-4).

Digital identity for emails is possible through the use of a S/MIME (Secure/Multipurpose Internet Mail Extensions) certificate defined by several technical documents of the IETF (Internet Engineering Task Force), among which we mention

RFC 8551.

The S/MIME certificate is issued by a Certification Authority and is usually chargeable because of its characteristics.

A good free solution is the Web Key Directory (WKD).

Web Key Directory

Web Key Directory refers to a protocol

the IETF has under review the draft of the latest version, which is dated 14/11/2022

by which OpenPGP public keys of email accounts that are uploaded to servers can be identified, circumventing the need for dedicated keyservers. The verification starts with an email address for which the search for the relevant public key is initiated through the HTTPS protocol.

The IETF document we just mentioned describes both the problem and the solution.

Typically OpenPGP is used for email encryption. It may take time to locate the correct public key for the recipient. One can refer to keyservers; sometimes, multiple keys may have been generated for an email address.

Therefore, the Web Key Directory can be configured on one's web server or through the

WKD as a service is used.

As noted above, the IETF mentioned above describes the solution, but a more precise document is available in the documents section of

Keyxoide.org

More extensive guidance is available on the

GnuPG wiki

In summary, if the email client is WKD-ready (we mean it has that feature), after typing the address, it will initiate the search and return the result confirming or not that a public key exists on the Web for that address.

Among email providers using WKD, it is worth mentioning

ProtonMail (as of November 2018)

and

Mailfence (as of 11/18/2021).

As ProtonMail users, we performed tests with our email accounts for which WKD is active. At the message writing stage, when entering the recipient's email address, ProtonMail searches with the WKD protocol and adds a green padlock symbolizing the correct detection of the public key.

In this way, it is possible to exchange encrypted messages and simultaneously be sure of the existence of an email address.

Our WKD

We decided to set up our own WKD to provide more security and to make it easier to identify the public keys of our email addresses.

Currently, for emails from the nicfab.eu and fabiano.law domains, it is possible to "discover" the public key using WKD.

With the tool

Web Key Directory by Metacode

it is possible to check whether the WKD system is active for a given email address.

You can verify our email address as follow.

Our GnuPG Public Key

From the Digital Terminal app, the following command (substitute email address as per standard):

gpg --locate-external-keys info-at-nicfab.eu.

You will find the public key in the response.

You can obtain the same result by typing the following command:

gpg --auto-key-locate clear,wkd --locate-external-keys info-at-nicfab.eu

Using the

Web Key Directory of Metacode tool

you obtain a URL for use with the next command.

To download the public key directly, however, you can use the following commands:

curl --tlsv1.3 -o nicfab.eu "https://openpgpkey.nicfab.eu/.well-known/openpgpkey/nicfab.eu/hu/mg6owx9w8c3ejg3tu31f4tha5n17d4rj?l=info"

or

wget --secure-protocol=TLSv1_3 --max-redirect=0 -O nicfab.eu "https://openpgpkey.nicfab.eu/.well-known/openpgpkey/nicfab.eu/hu/mg6owx9w8c3ejg3tu31f4tha5n17d4rj?l=info"

If this resource was helpful, you could contribute by

Buy me a coffee

Or donate via

Liberapay

Follow us on Mastodon

Stay tuned!