Feeds

Cert-based authentication 'on life support at UK.gov

System isn't working, so time to look for alternatives?

  • alert
  • submit to reddit

SANS - Survey on application security programs

Single sign-on via certificates is "on life support" at the UK Government Gateway, and there now seems a strong possibility that the Gateway will pull out the plug, and start banging heads together. Speaking to The Register earlier today Alan Mather, the UK e-Envoy's CEO of e-delivery, said that uptake of certificates wasn't anything like his team had expected, and suggested that the achievement of simple, universally available authentication processes might be a matter for government rather than industry.

The Gateway's experience of certificates seems to reflect that of industry as a whole. Most people don't bother with them, and they've singularly failed to set the world on fire. Granted, with the UK Gateway the certificates you can use only support IE and Netscape, but even if the dearth of certificates on other platforms were instantly, miraculously fixed, it wouldn't make a significant difference. Mather points out that uptake of certificates against userid/password is in the ratio 1:6 for businesses using the Gateway, and as the vast majority of visiting browsers are IE and Netscape, this simply reflects general lack of enthusiasm, rather than any Microsoft plot (he's very sensitive about this).

"It's just not a support thing," he says, and squeezing more platforms out of the current cert providers wouldn't make any difference.

"They have this year to prove themselves - but if, say, Customs decided that they weren't worth the effort then that would be that," he says. The Gateway currently uses certificates for Customs & Excise (sales tax) and PAYE (income tax). DEFRA, the department of agriculture, intends to join in with certification for the farming community, but given that certs haven't proved themselves so far (au contraire...) it takes a pretty vivid imagination to see how they might do so even by the middle of next year, never mind the end of this.

So, The Register speculated at Mather, the life support is likely to be shut off Real Soon Now. What then? "We need to pull the strands together, because commercial interests are not going to do it. Government must lead on this, and decide with the technology providers, not the certificate authorities, what's going to happen."

A simple, universally available authentication process remains essential for getting government services online, but if you look at it in that light then there's a logic to government defining the systems and spending the money necessary to make it happen.

But how? Mather says he's reluctant to spend taxpayers' money on more certificates. The Gateway staff could extend the number of platforms by simply writing the code themselves, but without certificates then miraculously becoming popular, that would be a waste of money.

Mobile phones however do present some possibilities, as they have the advantage of portability and device independence. So in principle, you could enter your ID online then have it authenticated via a code sent to your mobile phone.

But there are complications. Some 70 per cent of mobile phones in the UK are pay as you go, and therefore not specifically tied to an individual. The level of security that phones can likely achieve at the moment is equivalent to a level 1 certificate, i.e. anonymous, whereas for personal government transactions you'd want it to be tied to a tax identifier or national insurance number. And although mobile phones with certificate support are starting to ship, Nokia is in Mather's view complicating the issue by tying the certificates to the handset, rather than the SIM.

SIMs can move around from handset to handset, and the handset therefore isn't necessarily ID. So you really want it on the SIM, and if you want it universal, then you've got to get the providers to update all of their SIMs. That, he reckons, would cost around £10 per handset, which somebody would have to pay for.

It might also be possible - not that Mather himself suggested this - to simply use the weight of government to make certificates work. Maybe set up your own certificate authority, commission your own coding, commission some form of runtime browser which can be issued as a fallback for citizens wishing to transact with government, and then give everybody in the UK (or indeed Europe) a free certificate and the ability to use it on demand. Which The Register humbly suggests would concentrate the minds of the warring camps in the IT industry wonderfully. ®

3 Big data security analytics techniques

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.