ID card rollout begins

Ian Batten ukcrypto at chiark.greenend.org.uk
Fri, 26 Sep 2008 15:47:04 +0100 

On 26 Sep 08, at 1454, Charles Lindsey wrote:

> On Thu, 25 Sep 2008 22:55:09 +0100, Ian Batten <igb@batten.eu.org>  
> wrote:
>
>>> I would imagine that "appearing to relate" will in future include  
>>> checking the biometrics.
>>
>> I'd be stunned if it did.
>>
>> Firstly, what does `checking the biometrics' mean?  `Checking'  
>> photographs falls into the `appears to relate' category: it's  
>> entirely subjective.  ``Yeah, it looked like him, but maybe it was  
>> a bit dark in the room''.   If the government cares to underwrite  
>> providing fingerprint readers to every employer in the country, let  
>> them try, but I suspect the multi-billion pound bill may prove a  
>> little rich for their appetite.
>
> Seeing the photograph blown up onto a decent-sized screen would be a  
> good start, as would checking that and public signature key used was  
> known to belong to a trusted issuing authority.

Why would I want to do that?  The current legal test is ``appears to  
relate''.  The current process is that someone idly glances at a  
passport and checks the photograph is vaguely right.  They have no way  
to check the validity of UK passports, still less non-UK or non- 
European passports, and there is no expectation in legislation that  
they will.  In Ross's hierarchy of document examination, this is  
clearly level one.

On the one hand, in another thread you're complaining my burdening you  
with a few hundred K of HTML, while PeteM is complaining that he can't  
read Home Office documents with elderly versions of acrobat running on  
(from context) a ten year old machine.

On the other, you're proposing that unincorporated partnerships  
employing temporary staff (eg, two blokes running a plumbing business  
looking to employ someone to answer to the phone while they're out a- 
plumbing) should equip themselves with a large screen and the means to  
check public key signatures on smart-card ID documents?    And the  
skills to perform the photograph / face comparison, too.  I thought  
you were against transferring the burden?

And (ob.crypto!) just how are we proposing a high-integrity check on  
the public signature key belonging to a trusted issuing authority?  I  
hand you a Latvian passport, which is definitely a prescribed document  
for working in the UK.  How would you --- and, moreover, how would the  
aforementioned two blokes wanting to get on with doing some plumbing  
--- verify the public signing key is valid?

ian