Management of signature keys for government

davidh@spidacom.co.uk davidh at spidacom.co.uk
Tue, 3 Mar 1998 07:08:18 +0000 

On  2 Mar 98 at 14:19, Brian Gladman wrote in two messages:

>I have not made up my mind yet whether voluntary electronic
>identity cards are a good or bad thing and I would certainly like to
>know whether they are technically feasible in a form that is safe 
>From a citizen's perspective.

It might be that different citizens have different perceptions of 
what "safe" is. Would it be possible for an individual citizen to 
object I wonder, or would the tyrany of the (possibly poorly 
informed) prevail?

It seems possible to whip up a storm to do with terrorists and child 
pornography to persuade the masses that we should all have an 
electronic identity card for "security" reasons, perhaps a "smart" 
card implanted at birth (or even before birth as we can't trust those 
doctors).

I have heard from bankers of people who refuse to use bank plastic
cards because they distrust the systems banks employ. No doubt 
someone here could expand on this. These people have the right to 
give up the convenience of the card for what they regard as the 
greater security of traditional methods.

Would the same facility not to use a government issued plastic card 
exist I wonder?

> However, irrespective of whether on or off card key generation is
> employed, it is vital that the processes leading to the generation
> of signature key pairs for an identity or signature card are subject
> to some form of publicly accountable and demonstrably independent
> expert scrutiny of their design, their implementation and their
> operation.

I agree, but industry and governmnet does not have a good track
record in this. Netscape and Microsoft are two examples of computer 
companies who have found out the hard way that external scrutiny of 
security software is advisable. The banks have yet to learn this 
lesson and think that they must keep their methods secret. The same 
is true of the government, for example the Red Herring proposal for 
the NHS with its "nanny knows best" algorithm.




 David Hansen | davidh@spidacom.co.uk   | PGP email preferred
 Edinburgh    |  CI$ number 100024,3247 | key number 6AC0AC7D