ID Card Fail

Peter Tomlinson pwt at iosis.co.uk
Sun Aug 9 06:55:46 BST 2009 

Tony Naggs wrote:
> 2009/8/8 Benjamin Donnachie <benjamin at py-soft.co.uk>:
>   
>> It's fairly easily to read these devices, it'sfairly easy to write
>> data in a similar structure to another.  But I am not convinced that
>> the latter would pass any official verification.
>>
>> Surely this list understands the principles of digital signatures?
>> Public/private keys?  Sign data with your private key and everyone
>> with the public key can verify it?
>>
>> Yes the card they designed worked with some software they downloaded
>> from the Internet, but by their own admission it was not an official
>> reader and did not have the Government's public key.
>>     
> Any number of digital signatures could be added to the card, but the
> Home Office has not yet distributed any card readers that do such a
> check[1]:
>     "Initially, organisations will be able to use the card to check
>     the holder's details visually. Over time, they will also be able
>     to use a card reader to check that the details held on the
>     card are authentic and valid."
>
> To my knowledge the Home Office have not yet contracted a supplier to
> provide such readers, and The Register /and www.kable.co.uk have been
> reporting on such contracts as they are issued.
>
> 1. http://www.direct.gov.uk/en/Governmentcitizensandrights/Identitycards/DG_174258
A week ago in the 'Who will accept ID cards?' thread, I wrote a little 
about the 2004/5 discussions at Cabinet Office eGU WGs and one-on-one 
Whitehall Dept discussions with HO. Govt depts had been 'encouraged' to 
study how they would use the ID cards, and they wanted on-line access to 
the verification service, by way of connections from their own systems - 
they expected to deploy their own terminals. At the time there was on an 
HO web site a system architecture diagram with a comms port in the 
bottom left hand corner, for connection to trusted third parties - that 
diagram soon disappeared. Some of us thought that the intention was to 
allow organisations such as credit reference agencies to connect up, but 
of course govt depts such as DWP and DoH wanted to connect. They never 
got any answer to the questions about how this port would work, because 
of course no detail design had been done to support that architecture 
diagram - yet across Europe there was a growing consensus on what an eID 
card would contain (including X25 digital cert), and the ICAO passport 
work was under way (not an eID design). But here in the UK we were 
dealing enturely with non-technical people who in turn had contracted 
with non-technical consultants.

There was also a paper from a business consultancy, analysing the stated 
costs of the project. The introduction to that paper contained a 
disclaimer that the writers had to assume that the system architecture 
was robust, and that the cost estimate for building the system was 
valid. No wonder LSE got to work on doing their own estimates of cost of 
the overall project.

Peter

More information about the ukcrypto mailing list