Bad security engineering kills project
nbohm at ernest.net
Thu Sep 5 16:45:40 BST 2013
On 05/09/2013 14:03, William Heath wrote:
> The suppliers on cross-government ID assurance were announced Monday
> As I understand it DWP decided some months ago to focus on UC just for
> new claimants first. New claimants have a f2f interview at Job Centres
> anyway, so online ID Assurance took something of a back seat among
> many pressing priorities for them, but remained urgent across HMG.
> That's why GDS is now the lead on it (ie GDS took over the contracts
> and the process from DWP).
> In terms of function it might be relevant to look at the draft
> privacy principles for ID assurance. These are still open to
> consultation; the deadline is a couple of weeks away -
If contracts have in fact been concluded with ID providers, it's already
too late to make the privacy principles contractually binding, which
seems a pity.
Contact and PGP key here <http://www.ernest.net/contact/index.htm>
> On 5 September 2013 12:59, Ian Batten <igb at batten.eu.org
> <mailto:igb at batten.eu.org>> wrote:
> NAO report on the Universal Credit car-crash.
> Entertainment, in a rather bleak sense, is available from Figure
> 2, in Appendix 5 on page 50. It sets out the security objectives,
> most of which have not been met.
> The one that jumps off the page is ID Assurance, which you'd have
> thought would be the most critical and challenging part of a
> programme that pays out more than a billion pounds per week.
> Because anything that's rolled out is going to be the de-facto ID
> scheme for citizen-to-government transactions over the next ten
> years, and once started, any programme is very hard to change.
> They don't have anything ready to take to Pathfinder, which means
> that the Pathfinder project can't implement more than a small
> subset of the overall requirement.
> Does anyone know what the candidate technologies are? I've seen
> all sorts of proposals, but nothing beyond the "yeah, we might
> look at" stage.
More information about the ukcrypto