Wednesday, October 16, 2002
I knew I was going to get into trouble over the digital certs piece on The Register, per this posting, "Dead Cert" from Bill Thompson. I think it's worth me putting a bit more background to the story - some of the history, the issues and what might be done. When I started work on the Government Gateway around two years ago (can it really be that long?), one of the first issues was whether to support digital certificates or not. At the time, there was a policy that said that 4 levels of transaction existed (from 0 meaning no authentication to 3, full notarised authentication). Level 1 could be handled by userid/password (where there was minimal risk that information would be disclosed or financial loss would result if it was compromised) and level 2 needed a digital certificate (because there was a higher risk with the transaction). So ... in reality, paying money to government would be level 0 (who cares who you are if you are paying money to government?), 1 would be for something like checking the status of an existing transaction (perhaps finding out when your passport would be ready to collect), 2 would be for claiming child benefit and 3 would be the "gold standard", perhaps for getting a passport or a driving licence. That was all written up in a lengthy document which I inherited to execute against. T-scheme was in its infancy and there were no certificate issuers to speak of - although Chambersign was just starting up, BT were doing some stuff with Verisign and the banks were just getting together around Identrus. What we didn't know was if departments would start off wanting to use certificates for their transactions. MAFF (now DEFRA) had done some trials the previous year with certificates and found some significant challenges. But there was not much else to study for lessons learnt. MAFF decided to come on board with the Gateway from day one, as did Customs and Excise and the Inland Revenue. Customs and MAFF opted for certificates - both aiming at business customers (with quite a high overlap; pretty much every farmer is also VAT registered). So, off the team went to figure out how to make certificates work. The W3C people were still working on the standard for signing XML, so we took the early drafts and some very smart people spent a lot of time figuring out how to get the XML into a standard format, sign it, send it to the Gateway, check the signature (against non-existant revocation lists!) and then pass the transaction to the department, minus the stuff that they didn't need to know about (principally the envelope). Sounds easy. Turns out it's not. It was quickly realised that a Java applet was needed that would be "plugged in" to the browser that would find the XML, canonicalise it (put it in a standard format ready for signing so that we could be sure of what we were receiving) and then send it to the Gateway via the submission protocol that we had developed to ensure delivery. The folks that developed IE had put certs in a special place and written an API (the crypto API) that did a lot of the work for us, so the applet was quite simple (and runs to about 70kb if I remember correctly). The Netscape folks didn't put the certs in the same place and didn't have the API, so we had to write all that stuff (and that took a lot more time, and the applet was over 400kb I think). Other browsers didn't have the capability that we needed, so we didn't support them initially, hoping that some standards would emerge and we would be able to pick them up as they came. Those standards, despite good work all round, are not in place - and Linux browsers (as far as I can tell, don't support certs the way IE and Netscape do). The applets were written by people from Viacode (who were using certificate technology from Entrust); some very smart people at Microsoft designed the signing process and wrote the Gateway end of the deal. We were, I believe, the first people in the world to get digital signing of XML to W3C standards working. I'm proud of that and proud that the people who put so much effort into this from across the various teams were able to get it all working so quickly (remember, Gateway V1 was built from start to finish in about 90 days). By the time we were live, Viacode was selling its certificates through Chambersign. Shortly afterwards, Equifax launched their certificates (for about 1/2 the price of Chambersign, or £25). Then there was a big gap .... no-one else came to market. Take-up was slow - partly because there was an overhead in getting a certificate, partly because you had to pay for them, partly because once you had one there was not much else to do with it. The commercial sector didn't pick up on them - none of the online banks required them (although we had many conversations with all of the banks and they were all "just about to do something" - B2B was a key driver, better security and whatever). All of this came to nothing in the commercial world, frustratingly. So, with few providers, only government wanting certificates and the technology issues that came with the certificates (which caused endless problems and gave the helpdesks some fun and games to deal with), there was not much success. Now, nearly 2 years on from launch it's clear that they are not working ... I noted in the Register piece that for every 6 businesses sending PAYE online (which only needs a userid/password), there is one business doing VAT and perhaps 1/2 a farmer. Not big volumes. We need to change this. Either they get easier to use (which means the browser providers standardise - one place for the certs, one API etc); we find something else (smart cards need readers and are similarly non-standard, so please don't suggest those; quizid looks interesting and might be part of the solution; USB tokens with certificates have similar problems as normal certificates but are at least portable; mobile phones don't seem to fit as more than 70% are pay as you go); or we give up and continue to use userid/password and take the risk (after all, today we rely on signatures which every bank will tell you are not at all reliable). But if a simple signature works fine in the offline world, why ask for more online? Because it's an opportunity to improve security, reduce fraud and do a better job. I don't think government issuing certificates gets round this problem. Why? Because certificates are inherently not portable - lots of people use the Internet at work and a certificate today is installed on one PC and is difficult (but not impossible) to move around; because they are not transferable between channels - there is no chance of certificates working on digital TV for a while (although for ages I thought that the second smart card slot on Sky boxes might help) and if you need to do a follow-up phone call we won't be able to use your digital certificate to authenticate you. This is hard. It's going to take some "banging heads together" as John Lettice said and some really good thinking. I'm open to all ideas. Not giving up yet ... but definitely heart massage is required to get this one going.
Posted by Alan at Wednesday, October 16, 2002