Using nitrokey for EU digital identity / digital signature

[ieugen]

Hello,

I would like to know if it's possible to use nitrokey for EU digital identity https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-digital-identity_en .

I am aware that you need a certificate from a provider https://eidas.ec.europa.eu/efda/tl-browser/#/screen/home .

Assuming I can get a certificate from a trusted provider for Nitrokey. Could I:

• Install it on a Nitrokey (I have a Nitrokey 3A)
• Use it in a browser (Firefox) to access a service secured with a certificate, like the national tax authority of Romania https://login.anaf.ro/status.html .
• Sign PDF documents for said tax authority like https://static.anaf.ro/static/10/Anaf/Declaratii_R/AplicatiiDec/D230_v1.0.7_20042023.pdf - using Adobe Reader or (preferably) other software with similar capabilities .

NOTE: You might want to open the document with Adobe since pdf.js does not currently work with it ok.

Thanks, Eugen

[daringer]

Hey,

so "generally" this might work, but the devil's in the details. The questions I cannot answer as we haven't tested that explicitly:

• Adobe PDF signing: Depends on how they interface the Nitrokey, if it's something like PKCS you will be fine, if a mini-driver and a full CSP is needed, this will not work as of now
• Usage inside the Browser generally works fine
• Pushing a certificate onto the Smartcard also works

The only way to find out if it actually works is to try it out, my guess is that the PDF signing will be the main issue...

[ieugen]

hi @daringer , thanks for getting back to me.

I would love if we can verify these and document them for others. I have a nitrokey 3C with firmware 1.6.0 and a nitrokey HSM. I did not generate a certificate on the device yet. Used it just for FIDO/UF2 . Nitrokey HSM is unused atm.

Adobe PDF signing: Depends on how they interface the Nitrokey, if it's something like PKCS you will be fine, if a mini-driver and a full CSP is needed, this will not work as of now

Adobe works on Windows only IMO and it uses the windows subsystem. If nitrokey is visible for windows I think it should be usable. I can try this as well as soon as I generate a certificate on the key.

I think (need to check) the functionality is related to PIV https://www.nist.gov/identity-access-management/personal-identity-verification-piv .

Can you please share the guide you think it's best for me to try?

Also, Nitrokey company should check if nitrokey devices meet the technical/legal requirements according to EU law to be used in for digital signatures inside EU. That could be a new line of business for the company .