Entitlement and numbers [Re: Banking under Enduring Power of Attorney]

Peter Tomlinson ukcrypto at chiark.greenend.org.uk
Fri, 10 Apr 2009 10:28:28 +0100 

Roland Perry wrote:
> In article <49DE566D.7050705@defoam.net>, Adrian Midgley
> <amidgley2@defoam.net> writes
>   
>> Standing in Laura Ashley recently I fell to thinking about the ideas of
>> a national identity card and Laura Ashley's corporate storecard account
>> discount system.
>>
>> It occurred to me that I had never heard the national ID card presented
>> as offering any service I actually wanted or which anyone I could see
>> wanted or would benefit from - it was all something we were to do for
>> someone else's benefit.
>>
>> And yet, if we have a good token of identity, why should not Laura
>> Ashley instead of issuing a card which one's spouse could leave along
>> with a collection of other cards and tokens of entitlement at home,
>> instead make a note that the holder if ID card number 1 million and 97
>> was a member of their sheme and points should accrue and bills be sent
>> etc etc.
>>
>> And so on ...
>>     
>
> The original plans for a National ID card (about 10 years ago) was to
> hitch a ride on commercial cards, like the Laura Ashley one. The
> proposition was that "if Laura Ashley believe who you are, so will HMG".
> They waited for such a card to emerge and become a market leader. And
> they waited, and waited...
>   
>> Thus given an effective national ID card, one should be able to walk out
>> of the house wearing and carrying essentially nothing, except for the ID
>> card, enter a series of shops in which one had an account and
>> demonstrating identity by this one car acquire layers of clothing, lunch
>> and a ticket home and find prices diminished by some tiny fraction due
>> to the reduction in costs to the sellers.
>>     
> Isn't that what a Credit Card is?
>   
>> But it doesn't seem to have been sold on that basis.  If indeed it has
>> been sold.
>>     
> There were noises earlier this week, about adding ChipnPin to the ID
> card.  http://news.bbc.co.uk/1/hi/uk/7986618.stm  which seems to be a
> step in the direction you suggest.
>
>         "if [the financial services industry] come forward with a
>         compelling view of the rationale for chip-and-pin for [ID
>         cards], that's definitely something we'll take extremely
>         seriously."
>
> I wonder what their normal uptake is on compelling ideas - although it's
> not clear whether such a card could be used to buy things, rather than
> piggyback its ChipnPin verification on an existing commercial system
> (sounding familiar yet??
>
> Of course, the main drawback of these piggy-back schemes is that if the
> citizen falls out with the particular commercial supplier, he also loses
> his "ID" - until he imports a different commercial supplier's mantle,
> and re-issuing ID cards isn't likely to be either quick or cheap.
>   
The long term difference between our ID Card project and those of some 8 
or more other EU countries is that we have no intent or plans to issue 
an eID card, i.e. one carrying a digital certificate linked to a 
national PKI. We concentrated for a long time only on face to face use 
of the card, but have now been drawn in to the STORK Project that is the 
current stage of trying to move towards a pan-European identity document 
- DWP is doing the work, although IPS is the official partner. We here 
have been given a STORK work package to look at Chip and PIN for eID 
(which probably learns from the military project for C&P to be used by 
UK and USA military and their suppliers in a secure linkup between the 
parties - associated with equipment development, I believe). There is 
material on the Porvoo14 web site:
http://porvoo14.dvla.gov.uk/documents.html [1].

More recently (but I can't lay my hand on the reference) I have heard 
that the EC is now recognising that interoperability of eID cards across 
Europe is actually very difficult - which is what a group of us found 
during eEurope Smart Cards back in 2003 [2]. My feeling is that C&P 
doesn't scale at all well, and (as the EU has found and the USA govt is 
wrestling with in PIV) to scale across multiple linked PKIs needs a 
great deal of work to harmonise security policies and processes.

Equally, I have heard that those countries that have issued eID cards 
have not found them used much on-line, so one can argue that the 
cost-benefit calculation favours the UK's simple system - except that we 
don't have any rollout programme for the necessary dedicated terminals 
to enable electronic verification of ID rather than using the Call 
Centre. Maybe C&P is seen by some here as the way to use the existing 
terminal network - needs a lot of discussion, doesn't it? (But 'We have 
to walk before we can run' is a view expressed by someone in govt here 
when asked why we don't do PKI eID.)

Peter

[1] includes David Longhurst of MoD, Jim Purves of Govt Gateway in DWP 
(slide 12 shows UK in STORK doing "User ID and Password Soft 
Certificates"), a totally minimal bit from Stuart MacDonald of IPS, and 
then Join Steinen of EC on the big picture

[2] http://www.iosis.org.uk/, click on eESC 2003, click on OSCIE link, 
click on Documents and read Vol 3 on IAS - I have hosted the material 
from the published CD because the EC stopped the funding for the project 
web site and it closed down.