Feeds

Cert-based authentication 'on life support at UK.gov

System isn't working, so time to look for alternatives?

  • alert
  • submit to reddit

New hybrid storage solutions

Single sign-on via certificates is "on life support" at the UK Government Gateway, and there now seems a strong possibility that the Gateway will pull out the plug, and start banging heads together. Speaking to The Register earlier today Alan Mather, the UK e-Envoy's CEO of e-delivery, said that uptake of certificates wasn't anything like his team had expected, and suggested that the achievement of simple, universally available authentication processes might be a matter for government rather than industry.

The Gateway's experience of certificates seems to reflect that of industry as a whole. Most people don't bother with them, and they've singularly failed to set the world on fire. Granted, with the UK Gateway the certificates you can use only support IE and Netscape, but even if the dearth of certificates on other platforms were instantly, miraculously fixed, it wouldn't make a significant difference. Mather points out that uptake of certificates against userid/password is in the ratio 1:6 for businesses using the Gateway, and as the vast majority of visiting browsers are IE and Netscape, this simply reflects general lack of enthusiasm, rather than any Microsoft plot (he's very sensitive about this).

"It's just not a support thing," he says, and squeezing more platforms out of the current cert providers wouldn't make any difference.

"They have this year to prove themselves - but if, say, Customs decided that they weren't worth the effort then that would be that," he says. The Gateway currently uses certificates for Customs & Excise (sales tax) and PAYE (income tax). DEFRA, the department of agriculture, intends to join in with certification for the farming community, but given that certs haven't proved themselves so far (au contraire...) it takes a pretty vivid imagination to see how they might do so even by the middle of next year, never mind the end of this.

So, The Register speculated at Mather, the life support is likely to be shut off Real Soon Now. What then? "We need to pull the strands together, because commercial interests are not going to do it. Government must lead on this, and decide with the technology providers, not the certificate authorities, what's going to happen."

A simple, universally available authentication process remains essential for getting government services online, but if you look at it in that light then there's a logic to government defining the systems and spending the money necessary to make it happen.

But how? Mather says he's reluctant to spend taxpayers' money on more certificates. The Gateway staff could extend the number of platforms by simply writing the code themselves, but without certificates then miraculously becoming popular, that would be a waste of money.

Mobile phones however do present some possibilities, as they have the advantage of portability and device independence. So in principle, you could enter your ID online then have it authenticated via a code sent to your mobile phone.

But there are complications. Some 70 per cent of mobile phones in the UK are pay as you go, and therefore not specifically tied to an individual. The level of security that phones can likely achieve at the moment is equivalent to a level 1 certificate, i.e. anonymous, whereas for personal government transactions you'd want it to be tied to a tax identifier or national insurance number. And although mobile phones with certificate support are starting to ship, Nokia is in Mather's view complicating the issue by tying the certificates to the handset, rather than the SIM.

SIMs can move around from handset to handset, and the handset therefore isn't necessarily ID. So you really want it on the SIM, and if you want it universal, then you've got to get the providers to update all of their SIMs. That, he reckons, would cost around £10 per handset, which somebody would have to pay for.

It might also be possible - not that Mather himself suggested this - to simply use the weight of government to make certificates work. Maybe set up your own certificate authority, commission your own coding, commission some form of runtime browser which can be issued as a fallback for citizens wishing to transact with government, and then give everybody in the UK (or indeed Europe) a free certificate and the ability to use it on demand. Which The Register humbly suggests would concentrate the minds of the warring camps in the IT industry wonderfully. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Quit drooling, fanbois - haven't you SEEN what the iPhone 6 costs?
How keen will buyers be when exposed to the real price?
Ex-Autonomy execs: HP's latest wad blows apart fraud allegations
Top bods claim IT titan's latest court filing is smoking gun of 'reckless aggression'
Forget silly privacy worries - help biometrics firms make MILLIONS
Beancounter reckons dabs-scanning tech is the next big moneypit
Elon Musk says Tesla's stock price is too high ... welp, NOT ANY MORE
As Nevada throws the SpaceX supremo a $1.25bn bone
Microsoft's Office Delve wants work to be more like being on Facebook
Office Graph, social features for Office 365 going public
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.