Saturday, September 21, 2002
The US are moving ahead with their e-authentication/gateway-type project. Somewhat bizarrely, the folks there seem to be still at the stage of analysing what security levels different transactions will need. Pretty much everyone has to do this and the conclusion is always the same: no security (e.g. payments, after all, government will take money from whoever sends it); a bit of security (user id/passwords - for transactions where there is limited risk or controllable risk); quite a lot of security (where you need to be sure the person you are dealing with absolutely is that person and here the only answer today is digital certificates issued to particular guidelines); and, finally, perfect security (passports, driving licences etc as these are the documents that get you pretty much anything else in life, like bank accounts and so on). I'm a bit startled that this work is still going on - policy docs have been written on this the world over. Our own UK-version, called "t-scheme" has been around for a couple of years now. More importantly perhaps, the article says that they're ready to launch a prototype gateway this month ... I've looked around for it but it's nowhere to be seen yet. Maybe later in the month. There is a quote in the article that says the US might be looking for an industy partnership - vendors build it and charge a transaction fee to government (or, more likely, the agency that is using it - although this falls down with joined up transactions usually). But clearly this means that a version has been built, which is only for test ... and another one will be built sometime over the next year, ready for launch in September 2003. The other important quote is "The launch of the prototype gateway coincides with GSA’s announcement that the Agriculture Department’s National Finance Center, the Defense Department, NASA and the Treasury Department have signed up to use the Federal Bridge Certification Authority. The bridge lets agencies accept other agencies’ digital certificates using a public-key infrastructure to verify users’ identities online". We've been there. Certificates are on life support in the UK. I will watch with great anticipation how that works out. There is a lot to learn on using certificates for online transactions - the issuance process needs to be simple, the technology standards need to be clean and clear, the certificates need to be portable across platforms and so on. I wish them luck.
Posted by Alan at Saturday, September 21, 2002