About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« No more PETs win prizes puns, please | Main | Out of control »

Engineering eID

By Dave Birch posted Jul 28 2008 at 12:55 PM

[Dave Birch] What are differences between the proposed German identity card and the proposed UK identity card? Well, for one thing we already know how the German card will work and what applications it will contain. In fact it will contain three: the ePass application for police and border control, the opt-out eID application for e-business and e-government and the opt-in eSignature application. It has some interesting functions, such as proof of age without disclosing age, and supports end-to-end online security because it has a mutual authentication scheme built in. If someone wants to authenticate you using your card, they have to provide a digital certificate (issued to them by the German government) that contains a map of the attributes (eg, address) that the service provider is allowed to use. Since the card and the service provider thus have an encrypted end-to-end channel, they are immune to man-in-the-middle attacks.

A function I find particularly interesting is the pseudonym function. A service provider can request an identity that is known only to that service provider and the card will generate a pseudonym according to a published algorithm. Since this involves using the service providers public key, service providers cannot know other service providers pseudonyms, a simple means to increase both security and privacy for very little effort. If there is a specification for the U.K.'s identity card that is currently being procured then I haven't seen it, but I'd lay a pound to a penny that it does not include this kind of privacy-enhancing technology (PET) because I have never seen it in any of the management consultants presentations, government strategy documents or discussion forums. What a shame. Why do Germans deserve this kind of security but we Brits don't?

Is this just my bias as an essentially technical person or is the German approach -- to develop technical specifications that include advanced functionality and then procure against them -- better than the U.K. approach of "output-based specification"? The problem with that latter approach is that even as procurement is well under way, no-one seems to know what the scheme is going to do. If you are a U.K. business and you need to plan for a cycle of investment that will include a shift to the use of identity cards, you need some certainty. Suppose you're an ATM manufacturer and you want to offer British banks so kind of ID card function: you're already designing products that will be sold next year and manufactured the year after that for installation the year after. Yet if you phone up the Identity & Passport Service to ask for a specification, you'll get nowhere. This isn't helping.

I hate to keep on repeating the same point, but somehow we are not setting the bar high enough on ID.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Engineering eID:


The comments to this entry are closed.