About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Federation is about trust | Main | Another thing invented by lawyers »

Population-scale PKI

By Dave Birch posted Feb 1 2008 at 12:38 PM

[Dave Birch] The Land Registry, the government agency that records who owns Britain's land and buildings, has spent the past decade developing an e-conveyancing system to make buying and selling houses easier and more certain. It's going to be using PKI to secure the system. Authorised parties will be able to exchange information quickly, securely and reliably with each other and the Land Registry. Documents will be encrypted and "signed" with a digital certificate, and people will require a secure token, username and password to produce and read the documents. Final testing is underway and when it goes live, expected in early summer, it will be able to process up to 300,000 documents a day and support up to half a million security "certificates" from property professionals such as conveyance attorneys.

It sounds like a great system. Let's hope that it's designed and implemented to a high standard, because systems like this one have no margin for error. Even when bad implementation leads to errors that aren't serious, as with the UK Passport Office, it can have a very bad impact on confidence. Look at the impact of yesterday's HMRC failure: no data was lost or compromised, yet public faith in government ID has been seriously undermined.

Of course, when bad implementation or an incomplete understanding of PKI leads to errors that are that serious, the results can be disastrous. India has a PKI-based digital signature system managed through digital certificates issued by licensed CAs. The CAs are authenticated by the Controller of Certifying Authorities (CCA) who is the root certifying authority in India. Every digital certificate owner therefore needs to download the digital certificate of the certifying authority as well as the digital certificate of the Controller when he has to install or verify the end user certificate in his system. In October 2007, this CCA site (which is supposed to be 24/7) went down. This meant that no-one could authenticate certificate chains. I've no idea how much this actually cost businesses, but in a future society where all sorts of transactions are conducted digitally and demand authentication, this kind of centralised solution is an obvious weakness. Surely an intelligent terrorist would want to cripple this kind of root rather than waste time blowing up the odd building here and there.

Still, I'm sure it's now well understood that building a large identity management system with a single central point-of-failure is, essentially, designing-in failure.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Population-scale PKI:


At least they got the distributed validation right as part of the infrastructure, now let's see if they can deploy it properly (e.g. maybe more than a single validation responder). This really is an interesting application and has a chance to show e-commerce and PKI in the mainstream.

The comments to this entry are closed.