nitrokey-documentation icon indicating copy to clipboard operation
nitrokey-documentation copied to clipboard
verified publisher icon Nitrokey

Using nitrokey for EU digital identity / digital signature

Open ieugen opened this issue 2 years ago • 2 comments

Hello,

I would like to know if it's possible to use nitrokey for EU digital identity https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-digital-identity_en .

I am aware that you need a certificate from a provider https://eidas.ec.europa.eu/efda/tl-browser/#/screen/home .

Assuming I can get a certificate from a trusted provider for Nitrokey. Could I:

  • Install it on a Nitrokey (I have a Nitrokey 3A)
  • Use it in a browser (Firefox) to access a service secured with a certificate, like the national tax authority of Romania https://login.anaf.ro/status.html .
  • Sign PDF documents for said tax authority like https://static.anaf.ro/static/10/Anaf/Declaratii_R/AplicatiiDec/D230_v1.0.7_20042023.pdf - using Adobe Reader or (preferably) other software with similar capabilities .

NOTE: You might want to open the document with Adobe since pdf.js does not currently work with it ok.

Thanks, Eugen

ieugen avatar Jan 13 '24 20:01 ieugen

Hey,

so "generally" this might work, but the devil's in the details. The questions I cannot answer as we haven't tested that explicitly:

  • Adobe PDF signing: Depends on how they interface the Nitrokey, if it's something like PKCS you will be fine, if a mini-driver and a full CSP is needed, this will not work as of now
  • Usage inside the Browser generally works fine
  • Pushing a certificate onto the Smartcard also works

The only way to find out if it actually works is to try it out, my guess is that the PDF signing will be the main issue...

daringer avatar Jan 23 '24 12:01 daringer

hi @daringer , thanks for getting back to me.

I would love if we can verify these and document them for others. I have a nitrokey 3C with firmware 1.6.0 and a nitrokey HSM. I did not generate a certificate on the device yet. Used it just for FIDO/UF2 . Nitrokey HSM is unused atm.

Adobe PDF signing: Depends on how they interface the Nitrokey, if it's something like PKCS you will be fine, if a mini-driver and a full CSP is needed, this will not work as of now

Adobe works on Windows only IMO and it uses the windows subsystem. If nitrokey is visible for windows I think it should be usable. I can try this as well as soon as I generate a certificate on the key.

I think (need to check) the functionality is related to PIV https://www.nist.gov/identity-access-management/personal-identity-verification-piv .

Can you please share the guide you think it's best for me to try?

Also, Nitrokey company should check if nitrokey devices meet the technical/legal requirements according to EU law to be used in for digital signatures inside EU. That could be a new line of business for the company .

ieugen avatar Jan 23 '24 17:01 ieugen

Hello, can you please share more info on how this was "completed" . I found this part but only related to windows https://docs.nitrokey.com/nitrokey3/windows/piv/ . I would like to use it with Firefox / Chrome on Linux and maybe to sign PDF's .

Thank you for taking a look into this. I do hope I get to use the key :) .

ieugen avatar Jul 25 '24 12:07 ieugen

First of all, this repository is about documentation and not the right channel for support requests.

AFAIK devices storing cryptographic keys for EU digital identities and alike require a certification which our products don't have.

Regarding PDF signing, this video might help.

jans23 avatar Jul 25 '24 13:07 jans23