VeraSigil

Overview

Digital identity is fragmented. You need a PGP key for encrypted email, an SSH key for servers, an S/MIME certificate for Outlook, and no standardized way to prove your age online. Each system has its own verification process, key format, and trust model.

VeraSigil solves this with a single principle: Verify Identity Once, Issue Credentials Everywhere.

Features

• S/MIME Certificates — Outlook "Red Ribbon" email signing via ACME + RFC 8823
• SSH Certificates — Passwordless server access with built-in Certificate Authority
• PGP Keys — Encrypted email and code signing with proper cross-signatures
• Age Verification Tokens — Privacy-preserving age gates using RFC 9447

How It Works

1. A licensed notary or attorney verifies your government ID (once)
2. VeraSigil issues an Authority Token containing verified claims
3. That token authorizes automated credential issuance across all systems
4. Credentials renew automatically using IETF standard protocols

The notary verification happens once. Everything else is automated.

Technical Details

VeraSigil implements RFC 8555 (ACME), RFC 8823 (S/MIME ACME), and RFC 9447 (Authority Tokens) to bridge real-world identity verification to digital credentials. The server mode integrates with Sectigo's publicly-trusted CA infrastructure for production S/MIME certificates, while maintaining a local CA for SSH and testing.

All personally identifiable information is encrypted at rest. Age verification tokens contain boolean claims (is_over_18, is_over_21) rather than raw dates of birth, preserving privacy while enabling compliance with age-gating laws.

Philosophy

Keybase and Monkeysphere attempted to unify digital identity but failed due to manual key management burden and lack of enterprise integration. VeraSigil automates the entire process using established IETF standards, making unified identity boring enough to actually work.