Authenticating the Queen’s subjects
I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.
Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.
First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.
A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.
It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.
Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.
The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.
Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.
So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.
But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.
All in all, interesting times and much thinking…