Feeds

Cert-based authentication 'on life support at UK.gov

System isn't working, so time to look for alternatives?

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Single sign-on via certificates is "on life support" at the UK Government Gateway, and there now seems a strong possibility that the Gateway will pull out the plug, and start banging heads together. Speaking to The Register earlier today Alan Mather, the UK e-Envoy's CEO of e-delivery, said that uptake of certificates wasn't anything like his team had expected, and suggested that the achievement of simple, universally available authentication processes might be a matter for government rather than industry.

The Gateway's experience of certificates seems to reflect that of industry as a whole. Most people don't bother with them, and they've singularly failed to set the world on fire. Granted, with the UK Gateway the certificates you can use only support IE and Netscape, but even if the dearth of certificates on other platforms were instantly, miraculously fixed, it wouldn't make a significant difference. Mather points out that uptake of certificates against userid/password is in the ratio 1:6 for businesses using the Gateway, and as the vast majority of visiting browsers are IE and Netscape, this simply reflects general lack of enthusiasm, rather than any Microsoft plot (he's very sensitive about this).

"It's just not a support thing," he says, and squeezing more platforms out of the current cert providers wouldn't make any difference.

"They have this year to prove themselves - but if, say, Customs decided that they weren't worth the effort then that would be that," he says. The Gateway currently uses certificates for Customs & Excise (sales tax) and PAYE (income tax). DEFRA, the department of agriculture, intends to join in with certification for the farming community, but given that certs haven't proved themselves so far (au contraire...) it takes a pretty vivid imagination to see how they might do so even by the middle of next year, never mind the end of this.

So, The Register speculated at Mather, the life support is likely to be shut off Real Soon Now. What then? "We need to pull the strands together, because commercial interests are not going to do it. Government must lead on this, and decide with the technology providers, not the certificate authorities, what's going to happen."

A simple, universally available authentication process remains essential for getting government services online, but if you look at it in that light then there's a logic to government defining the systems and spending the money necessary to make it happen.

But how? Mather says he's reluctant to spend taxpayers' money on more certificates. The Gateway staff could extend the number of platforms by simply writing the code themselves, but without certificates then miraculously becoming popular, that would be a waste of money.

Mobile phones however do present some possibilities, as they have the advantage of portability and device independence. So in principle, you could enter your ID online then have it authenticated via a code sent to your mobile phone.

But there are complications. Some 70 per cent of mobile phones in the UK are pay as you go, and therefore not specifically tied to an individual. The level of security that phones can likely achieve at the moment is equivalent to a level 1 certificate, i.e. anonymous, whereas for personal government transactions you'd want it to be tied to a tax identifier or national insurance number. And although mobile phones with certificate support are starting to ship, Nokia is in Mather's view complicating the issue by tying the certificates to the handset, rather than the SIM.

SIMs can move around from handset to handset, and the handset therefore isn't necessarily ID. So you really want it on the SIM, and if you want it universal, then you've got to get the providers to update all of their SIMs. That, he reckons, would cost around £10 per handset, which somebody would have to pay for.

It might also be possible - not that Mather himself suggested this - to simply use the weight of government to make certificates work. Maybe set up your own certificate authority, commission your own coding, commission some form of runtime browser which can be issued as a fallback for citizens wishing to transact with government, and then give everybody in the UK (or indeed Europe) a free certificate and the ability to use it on demand. Which The Register humbly suggests would concentrate the minds of the warring camps in the IT industry wonderfully. ®

Build a business case: developing custom apps

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Nintend-OH NO! Sorry, Mario – your profits are in another castle
Red-hatted mascot, red-colored logo, red-stained finance books
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Twitch rich as Google flicks $1bn hitch switch, claims snitch
Gameplay streaming biz and search king refuse to deny fresh gobble rumors
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.