e-Envoy's office defends Windows-only portal – climb down begins?
Commissioning open source research, will consider alternatives - they're wobbling...
The Office of the e-Envoy is hotly - but not very convincingly - disputing claims that the Microsoft-built UK government portal, gateway.gov.uk, constitutes a Microsoft tax. The authentication systems used for the portal, which is intended to form the cornerstone of the Blair government's plan to get 100 per cent of its services online by 2005, means that you need to be running a combination of IE and Windows to be able to use all the services.
In response to what seems to be a barrage of irate emails directed at e-Envoy Andrew Pinder, one Keith Roberts of the Office of the e-Envoy has been sending out a detailed explanation of the current situation. In, we kid you not, Microsoft Word format. (We've got four of these already now peeps, by the way, so thanks, but you can stop sending them.)
The document is authored by one John Wailing, the luckless individual whose email address (email@example.com) Roberts is giving out for further queries. But the system seems to be standard - just remember it's Keith A Roberts.
Wailing's explanation more or less confirms what Linuxuser says on the subject. The system requires HTTPS with 128-bit or better encryption, and this bit is a doddle for everybody. But it's the next stage where the problems kick in. "This guarantees the confidentially of the process and enables the client to verify that they are communicating with the Government Gateway. But, it provides no authentication of the client to the Gateway."
So this is done either by a password of the user's choosing, or via a digital certificate. "The second method is preferred (and required for some transactions) but is dependent on the client having commercially available PKI software already installed and the user obtaining an X.509 certificate. Currently, we only have arrangements with ChamberSign and Equifax. The Entrust and Equifax software equates to tScheme level 2."
At this juncture you might begin to wonder whether the limitation mightn't be - effectively - self-imposed. Compelling the use of certificate-based authentication for some services, probably all of the more important ones, when the scope of certificate-based systems is still limited, and further constrained by the government's choice of suppliers, could be said to be a little weird.
But here comes another constraint that you might just consider to be a smoking pistol. Microsoft is committed to standards, right, and .NET is all about XML, which is a standard. Not only that, but as Microsoft says in its announcement of the deal with uk.gov, "the Government Gateway, the new Microsoft .NET Enterprise Server solution is an XML-based portal..." So as far as MS is concerned, the Government Gateway is a Microsoft .NET service.
According to Wailing, two constraints follow from this. First, "although standards are followed in that Java applets are signed with X.509 certificates, the mechanism used to package and sign the applets is proprietary. For example, Microsoft use a cab file and sign it using MS Authenticode whereas Netscape use a jar file and sign it with NS Object signing technology. Consequently, separately packaged applets have to be created for each browser and each package has to be signed with a separate certificate (from Entrust).
"The second difficulty is the availability of packages to manage certificates on platforms other that Microsoft Windows. Such packages also need to support APIs that can be called by Java applets."
So there you go, having chosen a system and an implementation that is currently skewed towards Microsoft, the Government Gateway only supports, er, Microsoft properly. But at this point Wailing's document seems to start to move into climb-down mode. "The issue is not about being vendor neutral; rather it is a problem with the way standards are implemented by vendors and a lack of offerings to manage digital certificates.
"Other browsers (running under Windows, Unix or Linux) can provide the required SSL connectivity but the ability to manage certificates on open source platforms needs investigating. The Office of the e-Envoy will be funding some activity by the open source community to address this issue. [our emphasis, but note that there was considerable open source knowledge and expertise within the government prior to the e-Envoy's arrival on the scene - what has he done with it?]
"The security model described above met the design objectives but if alternatives are proposed, they will be considered." [our emphasis again] Pounce now, and maybe it's an open goal.
On the subject of security models, it's currently at least arguable that there is a trend away from PKI-based systems and towards more accessible (and traditional) username/password systems. Several Register readers in New Zealand have drawn our attention to a similar project carried out for the New Zealand Inland Revenue by EDS*. This replaced a universally accessible system with a certificate-based one that locked out Macs. After much furore this was dumped in July of last year in favour of 128-bit encryption and username/password login. As a Revenue spokesman said, "Digital certificates are all lovely and wonderful but we've discovered that it can have a lot of issues for the user."
So is the Government Gateway's authenticatrion system the shape of things to go? ®
* It has been claimed to us that although Microsoft and Dell have loudly claimed credit for the UK Gateway, it's actually EDS that's doing a lot of the work. If this is the case, we'd advise them to shut up about it and let the other two cop all the crap instead.
A thorough IDG investigation of the New Zealand case
Sponsored: Customer Identity and Access Management