Bad security engineering kills project

Nicholas Bohm nbohm at
Thu Sep 5 16:45:40 BST 2013

On 05/09/2013 14:03, William Heath wrote:
> The suppliers on cross-government ID assurance were announced Monday
> As I understand it DWP decided some months ago to focus on UC just for
> new claimants first. New claimants have a f2f interview at Job Centres
> anyway, so online ID Assurance took something of a back seat among
> many pressing priorities for them, but remained urgent across HMG.
> That's why GDS is now the lead on it (ie GDS took over the contracts
> and the process from DWP).
> In terms of function it might be relevant to look at the  draft
> privacy principles for ID assurance. These are still open to
> consultation; the deadline is a couple of weeks away - 

If contracts have in fact been concluded with ID providers, it's already
too late to make the privacy principles contractually binding, which
seems a pity.

Contact and PGP key here <>

> On 5 September 2013 12:59, Ian Batten <igb at
> <mailto:igb at>> wrote:
>     NAO report on the Universal Credit car-crash.
>     Entertainment, in a rather bleak sense, is available from Figure
>     2, in Appendix 5 on page 50.  It sets out the security objectives,
>     most of which have not been met.
>     The one that jumps off the page is ID Assurance, which you'd have
>     thought would be the most critical and challenging part of a
>     programme that pays out more than a billion pounds per week.
>      Because anything that's rolled out is going to be the de-facto ID
>     scheme for citizen-to-government transactions over the next ten
>     years, and once started, any programme is very hard to change.
>      They don't have anything ready to take to Pathfinder, which means
>     that the Pathfinder project can't implement more than a small
>     subset of the overall requirement.
>     Does anyone know what the candidate technologies are?  I've seen
>     all sorts of proposals, but nothing beyond the "yeah, we might
>     look at" stage.
>     ian

More information about the ukcrypto mailing list