ID Card Fail

Peter Tomlinson pwt at iosis.co.uk
Thu Sep 10 09:17:06 BST 2009 

Ian Batten wrote:
> On 9 Sep 2009, at 11:50, Nicholas Bohm wrote:
>> web.archive.org/web/20070316055603/ 
>> <http://web.archive.org/web/20070316055603/>www.hmgpki.gov.uk/rootca.htm 
>> <http://www.hmgpki.gov.uk/rootca.htm>
> It's on archive.org because the website has ceased to exist, although 
> the certificates link to from the archive are valid until 2014.
>
> However:
>
> downstairs-imac:Documents igb$ openssl x509 -in HMGRootCA_RSA.crt 
>  -inform DER -text -noout
> [...]
>             X509v3 Certificate Policies: 
>                 Policy: 1.2.826.0.1316.2.0.1.3.0
>                   User Notice:
>                     Explicit Text: By relying on this HMG PKI 
> certificate, you accept the terms and conditions stated in the HMG PKI 
> Relying Party Agreement available at 
> www.hmgpki.gov.uk/Root/RPAgreement_L3.htm 
> <http://www.hmgpki.gov.uk/Root/RPAgreement_L3.htm>
>                 Policy: 1.2.826.0.1316.2.0.1.2.0
>                   User Notice:
>                     Explicit Text: By relying on this HMG PKI 
> certificate, you accept the terms and conditions stated in the HMG PKI 
> Relying Party Agreement available at 
> www.hmgpki.gov.uk/Root/RPAgreement_L2.htm 
> <http://www.hmgpki.gov.uk/Root/RPAgreement_L2.htm>
>
> Given www.hmgpki.gov.uk <http://www.hmgpki.gov.uk> doesn't exist any 
> more, what force does that statement have?
>
> I presume this has gone into abeyance because the root certificate is 
> hard to load into browsers and the government are instead using 
> commercial certificates.  That's not a bad decision, in many ways, but 
> as ever the problem of setting end dates on certificates appropriately 
> rears its ugly head.  The evil that men do lives on, etc.
A friend writes (after reading a forwarded copy of Nicholas' post about 
his request for the govt's public key):

The correspondent has assumed that the UK would follow the German or 
French model of a hierarchical root of trust for its PKIs, with single 
government root CA.
In the UK in 2003 Entrust Inc  contracted by the eEnvoy for the National 
Root Certificate Authority hosted by CESG.
I believe the NRCA underlies many government departments PKI systems but 
as non-federated group of CAs. So there is not one public key, but a 
whole collection of unrelated keys. One interesting discussion point is 
if the current plans for a central National Identity Register are broken 
up by a Conservative government, what will replace it. For efficient 
government one agency should electronically be able to trust another. 
Then in turn citizens cards like the Local Authority city cards or even 
the ENCT [bus pass in England] could be used for 3rd party 
authentication (depending on the level of risk).  This would fit the 
Conservative ethos of authority being less centrally controlled. I 
believe Baroness Neville-Jones is looking at these issues.

More information about the ukcrypto mailing list