Bad security engineering kills project

Nicholas Bohm nbohm at ernest.net
Thu Sep 5 16:45:40 BST 2013 

On 05/09/2013 14:03, William Heath wrote:
> The suppliers on cross-government ID assurance were announced Monday
> http://digital.cabinetoffice.gov.uk/2013/09/03/identity-assurance-first-delivery-contracts-signed/
>
> As I understand it DWP decided some months ago to focus on UC just for
> new claimants first. New claimants have a f2f interview at Job Centres
> anyway, so online ID Assurance took something of a back seat among
> many pressing priorities for them, but remained urgent across HMG.
> That's why GDS is now the lead on it (ie GDS took over the contracts
> and the process from DWP).
>
> In terms of function it might be relevant to look at the  draft
> privacy principles for ID assurance. These are still open to
> consultation; the deadline is a couple of weeks away - 
> http://digital.cabinetoffice.gov.uk/?s=ID+assurance+privacy+principles

If contracts have in fact been concluded with ID providers, it's already
too late to make the privacy principles contractually binding, which
seems a pity.

Nick
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>



>
> On 5 September 2013 12:59, Ian Batten <igb at batten.eu.org
> <mailto:igb at batten.eu.org>> wrote:
>
>     NAO report on the Universal Credit car-crash.
>
>     http://www.nao.org.uk/wp-content/uploads/2014/09/Full-Report.pdf
>
>     Entertainment, in a rather bleak sense, is available from Figure
>     2, in Appendix 5 on page 50.  It sets out the security objectives,
>     most of which have not been met.
>
>     The one that jumps off the page is ID Assurance, which you'd have
>     thought would be the most critical and challenging part of a
>     programme that pays out more than a billion pounds per week.
>      Because anything that's rolled out is going to be the de-facto ID
>     scheme for citizen-to-government transactions over the next ten
>     years, and once started, any programme is very hard to change.
>      They don't have anything ready to take to Pathfinder, which means
>     that the Pathfinder project can't implement more than a small
>     subset of the overall requirement.
>
>     Does anyone know what the candidate technologies are?  I've seen
>     all sorts of proposals, but nothing beyond the "yeah, we might
>     look at" stage.
>
>     ian
>
>

More information about the ukcrypto mailing list