Engineering eID
By Dave Birch posted Jul 28 2008 at 12:55 PM[Dave Birch] What are differences between the proposed German identity card and the proposed UK identity card? Well, for one thing we already know how the German card will work and what applications it will contain. In fact it will contain three: the ePass application for police and border control, the opt-out eID application for e-business and e-government and the opt-in eSignature application. It has some interesting functions, such as proof of age without disclosing age, and supports end-to-end online security because it has a mutual authentication scheme built in. If someone wants to authenticate you using your card, they have to provide a digital certificate (issued to them by the German government) that contains a map of the attributes (eg, address) that the service provider is allowed to use. Since the card and the service provider thus have an encrypted end-to-end channel, they are immune to man-in-the-middle attacks.
A function I find particularly interesting is the pseudonym function. A service provider can request an identity that is known only to that service provider and the card will generate a pseudonym according to a published algorithm. Since this involves using the service providers public key, service providers cannot know other service providers pseudonyms, a simple means to increase both security and privacy for very little effort. If there is a specification for the U.K.'s identity card that is currently being procured then I haven't seen it, but I'd lay a pound to a penny that it does not include this kind of privacy-enhancing technology (PET) because I have never seen it in any of the management consultants presentations, government strategy documents or discussion forums. What a shame. Why do Germans deserve this kind of security but we Brits don't?
Is this just my bias as an essentially technical person or is the German approach -- to develop technical specifications that include advanced functionality and then procure against them -- better than the U.K. approach of "output-based specification"? The problem with that latter approach is that even as procurement is well under way, no-one seems to know what the scheme is going to do. If you are a U.K. business and you need to plan for a cycle of investment that will include a shift to the use of identity cards, you need some certainty. Suppose you're an ATM manufacturer and you want to offer British banks so kind of ID card function: you're already designing products that will be sold next year and manufactured the year after that for installation the year after. Yet if you phone up the Identity & Passport Service to ask for a specification, you'll get nowhere. This isn't helping.
I hate to keep on repeating the same point, but somehow we are not setting the bar high enough on ID.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Comments