e-Envoy's office defends Windows-only portal – climb down begins?

Commissioning open source research, will consider alternatives - they're wobbling...

  • alert
  • submit to reddit

High performance access to file storage

The Office of the e-Envoy is hotly - but not very convincingly - disputing claims that the Microsoft-built UK government portal, gateway.gov.uk, constitutes a Microsoft tax. The authentication systems used for the portal, which is intended to form the cornerstone of the Blair government's plan to get 100 per cent of its services online by 2005, means that you need to be running a combination of IE and Windows to be able to use all the services.

In response to what seems to be a barrage of irate emails directed at e-Envoy Andrew Pinder, one Keith Roberts of the Office of the e-Envoy has been sending out a detailed explanation of the current situation. In, we kid you not, Microsoft Word format. (We've got four of these already now peeps, by the way, so thanks, but you can stop sending them.)

The document is authored by one John Wailing, the luckless individual whose email address (john.wailing@cabinet-office.x.gsi.gov.uk) Roberts is giving out for further queries. But the system seems to be standard - just remember it's Keith A Roberts.

Wailing's explanation more or less confirms what Linuxuser says on the subject. The system requires HTTPS with 128-bit or better encryption, and this bit is a doddle for everybody. But it's the next stage where the problems kick in. "This guarantees the confidentially of the process and enables the client to verify that they are communicating with the Government Gateway. But, it provides no authentication of the client to the Gateway."

So this is done either by a password of the user's choosing, or via a digital certificate. "The second method is preferred (and required for some transactions) but is dependent on the client having commercially available PKI software already installed and the user obtaining an X.509 certificate. Currently, we only have arrangements with ChamberSign and Equifax. The Entrust and Equifax software equates to tScheme level 2."

At this juncture you might begin to wonder whether the limitation mightn't be - effectively - self-imposed. Compelling the use of certificate-based authentication for some services, probably all of the more important ones, when the scope of certificate-based systems is still limited, and further constrained by the government's choice of suppliers, could be said to be a little weird.

But here comes another constraint that you might just consider to be a smoking pistol. Microsoft is committed to standards, right, and .NET is all about XML, which is a standard. Not only that, but as Microsoft says in its announcement of the deal with uk.gov, "the Government Gateway, the new Microsoft .NET Enterprise Server solution is an XML-based portal..." So as far as MS is concerned, the Government Gateway is a Microsoft .NET service.

The Microsoft strategy for XML and numerous other cutting edge standards is to be ahead of the curve, so the company implements standards that maybe aren't quite general standards yet, and its rivals come panting along behind. The authentication for gateway.gov.uk operates as follows: the Gateway requests that an XML object be signed. It "delivers an XML object to the client together with a signed Java applet and some JavaScript. The Java applet adds some envelope information to the XML object and then uses the API provided by the PKI commercial package supplier to get the object signed. The applet then posts the object back to the gateway."

According to Wailing, two constraints follow from this. First, "although standards are followed in that Java applets are signed with X.509 certificates, the mechanism used to package and sign the applets is proprietary. For example, Microsoft use a cab file and sign it using MS Authenticode whereas Netscape use a jar file and sign it with NS Object signing technology. Consequently, separately packaged applets have to be created for each browser and each package has to be signed with a separate certificate (from Entrust).

"The second difficulty is the availability of packages to manage certificates on platforms other that Microsoft Windows. Such packages also need to support APIs that can be called by Java applets."

So there you go, having chosen a system and an implementation that is currently skewed towards Microsoft, the Government Gateway only supports, er, Microsoft properly. But at this point Wailing's document seems to start to move into climb-down mode. "The issue is not about being vendor neutral; rather it is a problem with the way standards are implemented by vendors and a lack of offerings to manage digital certificates.

"Other browsers (running under Windows, Unix or Linux) can provide the required SSL connectivity but the ability to manage certificates on open source platforms needs investigating. The Office of the e-Envoy will be funding some activity by the open source community to address this issue. [our emphasis, but note that there was considerable open source knowledge and expertise within the government prior to the e-Envoy's arrival on the scene - what has he done with it?]

"The security model described above met the design objectives but if alternatives are proposed, they will be considered." [our emphasis again] Pounce now, and maybe it's an open goal.

On the subject of security models, it's currently at least arguable that there is a trend away from PKI-based systems and towards more accessible (and traditional) username/password systems. Several Register readers in New Zealand have drawn our attention to a similar project carried out for the New Zealand Inland Revenue by EDS*. This replaced a universally accessible system with a certificate-based one that locked out Macs. After much furore this was dumped in July of last year in favour of 128-bit encryption and username/password login. As a Revenue spokesman said, "Digital certificates are all lovely and wonderful but we've discovered that it can have a lot of issues for the user."

So is the Government Gateway's authenticatrion system the shape of things to go? ®

* It has been claimed to us that although Microsoft and Dell have loudly claimed credit for the UK Gateway, it's actually EDS that's doing a lot of the work. If this is the case, we'd advise them to shut up about it and let the other two cop all the crap instead.

Related Stories

Opera to challenge e-envoy over UK govt 'Windows tax'
MS-built UK 'Government Gateway' locks out non-MS browsers

Linuxuser investigation


A thorough IDG investigation of the New Zealand case

Some of our Mac support is missing
Let's not do it after all then

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.