Signing GMail Messages with the Estonian eID PKI Card (Part 1)
After reading several articles about the Estonian eID, such as this one:
it becomes clear that there needs to be a bit more use cases around the eID ecosystem. Cyrus Farivar (the author of the above article) already mentions how he used the system to sign an email, but there are some shortcomings, some of which he points out himself in his article:
- The first problem is that in order for these type of systems to become popular, we need to make them extremely easy to use. Cyrus has used PGP before, which admittedly is one of the more complicated crypto systems to use, so he had an advantage over Joe Doe. I want to build a prototype system which is very easy to use (think highlight some text, click “sign”, and out comes the signed signature, with a similar process to verify the signature)
- As Cyrus pointed out:
Worse, there appears to be no equivalent of a PGP keyserver. I couldn’t find an obvious way to locate someone’s public key
There is a way…. but it’s not obvious at all as we’ll see later in this article (it could be that there’s an easier way that I haven’t come across yet, I admit I haven’t dug around too hard or even contacted their support).
In the following video I’ll showcase a Proof-of-Concept Chrome plugin that allows you to sign an email (or any text really) by simply highlighting the text and clicking a single button. In part two i’ll show how to verify this signature. This proof of concept is by no means ready for a number of reasons:
- The plugin only work on linux at the moment. To save a bunch of work I used a very naive script that leverages pkcs15-crypt. Ideally this should be implemented as a self contained solution.
- The pkcs15-crypt script contains the private PIN in plaintext. A definite security no-no. A fixable problem for those that have the time 🙂
In this video I’ll just demo how to sign an email, while in the second part I’ll extend the chrome plugin to verify a signature.
Before presenting the plugin, let’s address Cyrus’ issue that there isn’t a public key server. There is one, in the form of an LDAP server. There also is an OSCP server, which is a paid for subscription service however. To use the LDAP server, you’ll need an LDAP browser. I used Apache Directory Studio, with the following settings for the LDAP connection:
When you connect, you see a bunch of folders (“organization units” in LDAP parlance). If you navigate to c=EE, o=ESTEID (DIGI-ID E-RESIDENT), ou=digital signature you’ll see a list of e-residents, with their public certificate, as shown below.
There’s your public key server. I’ll be leveraging this in the second part of the series when we come to verify a signature. Note in the above figure how every person has a “serial number” which is also printed on the front of the e-ID card. Using this service and the serial number we should in theory be able to verify any Estonian e-Resident’s signature. So stay tuned for part 2 🙂
In the meantime, enjoy the video showing the plugin in action below. PS, all the code I used so far can be found in my github repo, here: