Feeds

Cert-based authentication 'on life support at UK.gov

System isn't working, so time to look for alternatives?

  • alert
  • submit to reddit

Build a business case: developing custom apps

Single sign-on via certificates is "on life support" at the UK Government Gateway, and there now seems a strong possibility that the Gateway will pull out the plug, and start banging heads together. Speaking to The Register earlier today Alan Mather, the UK e-Envoy's CEO of e-delivery, said that uptake of certificates wasn't anything like his team had expected, and suggested that the achievement of simple, universally available authentication processes might be a matter for government rather than industry.

The Gateway's experience of certificates seems to reflect that of industry as a whole. Most people don't bother with them, and they've singularly failed to set the world on fire. Granted, with the UK Gateway the certificates you can use only support IE and Netscape, but even if the dearth of certificates on other platforms were instantly, miraculously fixed, it wouldn't make a significant difference. Mather points out that uptake of certificates against userid/password is in the ratio 1:6 for businesses using the Gateway, and as the vast majority of visiting browsers are IE and Netscape, this simply reflects general lack of enthusiasm, rather than any Microsoft plot (he's very sensitive about this).

"It's just not a support thing," he says, and squeezing more platforms out of the current cert providers wouldn't make any difference.

"They have this year to prove themselves - but if, say, Customs decided that they weren't worth the effort then that would be that," he says. The Gateway currently uses certificates for Customs & Excise (sales tax) and PAYE (income tax). DEFRA, the department of agriculture, intends to join in with certification for the farming community, but given that certs haven't proved themselves so far (au contraire...) it takes a pretty vivid imagination to see how they might do so even by the middle of next year, never mind the end of this.

So, The Register speculated at Mather, the life support is likely to be shut off Real Soon Now. What then? "We need to pull the strands together, because commercial interests are not going to do it. Government must lead on this, and decide with the technology providers, not the certificate authorities, what's going to happen."

A simple, universally available authentication process remains essential for getting government services online, but if you look at it in that light then there's a logic to government defining the systems and spending the money necessary to make it happen.

But how? Mather says he's reluctant to spend taxpayers' money on more certificates. The Gateway staff could extend the number of platforms by simply writing the code themselves, but without certificates then miraculously becoming popular, that would be a waste of money.

Mobile phones however do present some possibilities, as they have the advantage of portability and device independence. So in principle, you could enter your ID online then have it authenticated via a code sent to your mobile phone.

But there are complications. Some 70 per cent of mobile phones in the UK are pay as you go, and therefore not specifically tied to an individual. The level of security that phones can likely achieve at the moment is equivalent to a level 1 certificate, i.e. anonymous, whereas for personal government transactions you'd want it to be tied to a tax identifier or national insurance number. And although mobile phones with certificate support are starting to ship, Nokia is in Mather's view complicating the issue by tying the certificates to the handset, rather than the SIM.

SIMs can move around from handset to handset, and the handset therefore isn't necessarily ID. So you really want it on the SIM, and if you want it universal, then you've got to get the providers to update all of their SIMs. That, he reckons, would cost around £10 per handset, which somebody would have to pay for.

It might also be possible - not that Mather himself suggested this - to simply use the weight of government to make certificates work. Maybe set up your own certificate authority, commission your own coding, commission some form of runtime browser which can be issued as a fallback for citizens wishing to transact with government, and then give everybody in the UK (or indeed Europe) a free certificate and the ability to use it on demand. Which The Register humbly suggests would concentrate the minds of the warring camps in the IT industry wonderfully. ®

Build a business case: developing custom apps

More from The Register

next story
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Premier League wants to PURGE ALL FOOTIE GIFs from social media
Not paying Murdoch? You're gonna get a right LEGALLING - thanks to automated software
Online tat bazaar eBay coughs to YET ANOTHER outage
Web-based flea market struck dumb by size and scale of fail
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
XBOX One will learn to play media from USB and DLNA sources
Hang on? Aren't those file formats you hardly ever see outside torrents?
Class war! Wikipedia's workers revolt again
Bourgeois paper-shufflers have 'suspended democracy', sniff unpaid proles
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.