|Newcomers and returning visitors, please note that you are welcome to talk to the hermit using this new invention, email.||
The voluntary alternative
to material ID cards
A Proposal by David Moss
of Business Consultancy Services Ltd (BCSL)
For four years the government advocated biometric passports and ID cards on the confused basis that biometrics make them secure. In fact "security", these days, is synonymous with "PKI", the public key infrastructure, and is quite independent of biometrics. Without PKI, our biometric passports and ID cards would be forgeable, untrusted and an expensive waste of money.
It took a long time but, finally, in December 2006, the government confirmed that they would implement PKI in the ID cards scheme.
Will it be implemented properly? The early signs are not encouraging.
PKI was invented by GCHQ over 30 years ago and they stipulate the criteria for measuring how properly it has been implemented. These criteria include authentication, confidentiality, integrity and availability.
The government's implementation of PKI for biometric passports and the ID cards scheme looks like failing the authentication and confidentiality tests:
The integrity criterion of PKI is undermined by the fact that the ID cards scheme is based on smart cards. It would be more secure to base the scheme on mobile phones.
And the PKI requirement of availability is undermined by the government's track record with computer systems. The national fingerprint database, for example, has in the past been inaccessible to police forces for a week at a time. And there are examples of medical systems failing, of doctors being unable to see your X-rays when they need to treat you. If ID cards become important, what will happen when the computer system is not available?
All of which makes the government's idea of selling our personal data to selected organisations – to insert itself thereby into the nation's payments systems – unattractive.
According to the Identity and Passport Service (IPS) strategic action plan published in December 2006:
"We will also maintain the high levels of customer service achieved over recent years – for the third year in a row, IPS topped the independent Comparisat Customer Satisfaction survey, ahead of organisations such as Amazon, Asda, eBay, Marks and Spencer, and Tesco" (para.52)
More proof, if it was needed, that popularity does not imply reliability.
What applies to passports applies equally to other secure documents or, to be more precise, to other documents that are meant to be secure. Passports are chosen only as an example. In particular, these problems would apply to ID cards as well.
Biometrics are meant to identify people. The biometrics chosen for our new passports in the UK and for our proposed ID cards will only identify about 80% of people. They are not universal. That is one problem, which has already been covered in the biometrics section of this proposal.
The way to get secure documents is to use PKI, the public key infrastructure. None of the articles offered as evidence refer to PKI. Where they mention security at all, they all confuse it with biometrics.
The International Civil Aviation Organization (ICAO), the people responsible for the format of passports, are perfectly clear on the matter. They say that there is no point recording biometrics on passports if they can be changed by forgers. They recommend that the established technology of PKI should be used to authenticate the biometrics:
"Unless data recorded, such as biometric and identity ... data on contactless chip media, can be self-authenticating through the use of PKI Digital Signatures, these initiatives are exposed to fraud and counterfeit" (para.2.7).
There it is. You need PKI to protect biometrics from forgery. Security and identification are not the same thing. You need one to protect the other. They are two different things.
It was developed by the UK Government Communications Headquarters (GCHQ) between 1969 and 1975 and independently in the US. It is a cocktail of procedures and encryption techniques used every day by governments, the military, the security services, academic institutions, businesses – including the mobile phone network operators – and secure websites (SSL/https), among others, to authenticate whatever needs to be authenticated.
The revolutionary element of PKI is that the key required to encrypt a message can be published, it is a public key. You can use my public key to encrypt a message and send it to me, secure in the knowledge that only I can read it, because only I have the private key needed to decrypt it.
That is what BCSL means by the phrase "secure document". A secure document is one which can be authenticated in this way. The sender is authenticated. The recipient is authenticated. And the message received is the message that was sent.
The government sometimes seem to suggest that biometric passports and the ID cards scheme involve secure documents which have never been seen before. The use of digitised biometrics is an innovation. Granted. But biometrics are identifiers, not security devices.
The use of encryption to support secure communications, far from being new, goes back at least to the the fifth century BC (see, for example, Simon Singh's The Code Book).
For the past 35 years or so, "security" has become synonymous with "PKI".
The stock in trade of PKI is the digital certificate. There is nothing new about issuing and using digital certificates. Two examples:
If all the personal computers in the world 260 million were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message (PGP Desktop Security), p.246.
Given that the universe is about 15 billion years old, that implies that it would take about 180 million billion years to decrypt a message.
The mathematics of PKI is hard for most of us to grasp. The attempt may be made to explain it to those who are interested but all that is needed in general is to promote the same attitude to PKI as we already have to DNA. Very few people understand how it works but most people believe that it exists and that it does its job.
"No card based chip has yet proved to be completely unable to be broken open if you are prepared to apply sufficient resources to it. Although you may have to wreck a few chips in the process, once you have actually determined how to break the encryption on the chip and you can understand the workings you can make your own" (Q.394)
As an example of what Professor Thomas has in mind, consider the set-top boxes we attach to our TVs to receive satellite and cable TV programmes. They have a card in them to authenticate the user as a bona fide customer of BSkyB, for example, or NTL. There used to be a grubby market in illegitimate cards, which allowed people to receive these programmes without paying.
Without PKI, or if PKI were not implemented properly, there would be the same market in forged biometric passports and ID cards.
The universe is roughly 14bn years old. 260m computers working for 12m times the age of the universe is therefore about 16,000 million million million million computer-days. If that is how long it would take investigators to read one properly encrypted document, then 28 days or 90 days are, clearly, neither here nor there.
As Professor Ross Anderson told the Home Affairs Committee, encryption tools are generally either good or useless and "if they are good, you either guess the password or give up".
"Q625 Mr Cameron: That is really what I am saying. If you have to have a work permit, is not the problem that we are not checking enough people's work permits? Have you done any analysis of the enormous costs of an ID card system against a modest investment in more people checking whether people have a work permit?
Mr Blunkett: I do not believe we are talking about an enormous cost, I think we are talking about a steady state of around 200 million a year. The accumulated 13 years' roll-up of everything obviously frightens people to death and, in retrospect, perhaps that figure has misled people. In my view, the actual steady state is a very reasonable way, taken alongside biometric passports, because let me make it clear that I would not be advocating this if it were not that we were going to have to engage for international travel with biometric identifiers in passports and visas to ensure that those documents are secure and, therefore, be able to run the ID card and the secure register alongside that aspect which in itself will be the expense that has to be incurred by us whether we go for ID cards or not."
To paraphrase, Mr Blunkett was saying that it is the biometrics in passports and visas which ensure that those documents are secure.
Which is the ICAO's point. The biometrics in a passport or an ID card are meant to identify people. They are not a security device, they are a (putative) identification device. If they can be changed without detection, then passports and ID cards can be forged, they are not secure documents. In order to make them secure, we need to implement PKI. Only with PKI can we know that the biometrics are authentic.
Biometric uniqueness could not make an ID card secure against forgery. A forger could overwrite Person As unique biometric with Person Bs unique biometric. The biometric would still be unique but the ID card would now be a forgery. PKI is needed to protect against this sort of forgery and that is why the ICAO recommend it.
The UK is unique in not discussing the central importance of PKI. BCSL raised the issue of PKI with the Home Office in an email dated 31 January 2003. We were told, in a subsequent telephone call to the Home Office, that the British public is not ready for PKI. Other countries find it appropriate to mention PKI. eESC, the eEurope Smart Card forum, list 13 EU countries (para.2.2) publicly considering the implementation of PKI. Surely the British public cannot be so exceptionally different.
That was in 2003. A year later the Home Secretary was still confused, as noted, about how to make biometric passports and ID cards secure. The confusion seems to have persisted for at least another two years. The Section 37 cost report on the ID cards project published by the Home Office in October 2006 states:
"Ultimately this will ensure that everyone* who has been given permission to enter the UK, those allowed to remain for more than a specified period (likely to be 3 months [but, as it turns out, six months]), and those claiming asylum can be identified securely using their biometrics" (p.4).
"Each person* registered will have a quick and secure way of proving who they are whenever needed, for example via a quick online match of their ID Card and biometrics" (p.6).
"The great benefit of the biometric card is that it is more resistant to forgery than predecessor technologies. The ID Card will be much more secure than documents currently requested by financial service providers as proof of identity" (p.6).
"Biometric cards will provide a secure means for foreign nationals* to prove their identity to the same level of assurance as UK nationals. This will help, for example, legitimate employers verify a foreign national’s entitlement to work and help prevent abuse of our public services by those not entitled to use them" (p.9).
"Each person’s* identity will be secured by the registering of a number of biometric identifiers, such as fingerprints and facial or iris images" (p.12).
* each of these references should be to 80% of people, of course, the biometrics chosen for the passport and ID card schemes are not reliable enough to verify everyone's identity.
Never mind the British public, it is not obvious that the Home Office themselves are ready for PKI. Perhaps it is their confusion, about the quite different rôles of PKI and biometrics, that explains why we have yet to see a single UK bank say that they will accept a government ID card as proof of identity.
It is not just BCSL who have raised the issue with the Home Office. So have Microsoft: "the proposal to place biometrics ... on a central database could perpetuate the very problem the system was intended to prevent". And so have Cambridge Algorithmica, for example, in their written evidence submitted to the Home Affairs Committee:
"Encryption vulnerabilities It is assumed that data stored on the ID Card would be encrypted, using a trapdoor encryption algorithm ... Otherwise, biometric templates could be substituted easily".
It would not hurt for the Home Office to confirm that they intend to use PKI. That is the whole point. You can make your use of PKI public without impugning its effectiveness. So, are they going to use PKI or arent they? Will these cards be secured by PKI? We need to know the answer.
Until 19 December 2006, when the Strategic Action Plan for the National Identity Scheme was published, the best we could do was to say that it is unlikely that the government should be so ignorant as to try to introduce an ID voucher scheme without using PKI. If they are, that would be a major scoop.
The length of stay for non-EEA* nationals visiting the UK before they have to apply for an ID card/record their biometrics has been doubled from three months to six months (para.59). There is no explanation for this move, which would make ID cards even less universal and, thus, even less useful.
* EEA = EU + Iceland + Liechtenstein + Norway
The plan continues to advocate the use of facial geometry as a biometric (para.2, fig.2, para.53, para.55). Acording to the evidence, that is a mistake. Facial geometry is useless.
And it continues to confuse popularity and pervasiveness with reliability. IPS may be popular (para.52). That does not make biometrics reliable. Nor would it make their passports and ID cards secure. Other countries may be deploying biometrics (Foreword, Executive Summary, para.22, para.63). That does not make biometrics reliable. Nor would it make their passports and ID cards secure. Just because they are wasting their money on schemes that cannot work is no reason for the UK to follow suit.
It continues to advocate the use of biometrics as a universal method of identification:
"We are also committed to meeting European and international initiatives to make passports ever more secure, including the use of fingerprint biometrics" (para.63)
"Over time, we will be able to link people to a single identity across our systems using biometrics" (para.92).
According to the evidence, that is false, it is only possible for a maximum of 80% of the population to have their identity verified by reference to their biometrics.
The plan refers to "small percentages of what are known as 'false matches' or 'false non-matches' ..." (para.50):
The plan continues to confuse identification with security: "We are also committed to meeting European and worldwide initiatives to make passports ever more secure, including the use of fingerprint biometrics" (p.4).
But, in between all these business as usual mistakes, the plan acknowledges, for the first time, the notion of personal details being "electronically signed" (para.11) and it shows PKI as an element of the National Identity Register (fig.2, fig.3, para.15).
So, the UK biometric passport and ID card schemes will use PKI.
The paradigm works well for other applications, too:
And when it comes to ID cards, the message, that the bearer is who he says he is, and here are his fingercopies to prove it, would be sent not only to passport control people but also to:
One spy sending a message to another spy can be confident that the recipient has been vetted.
The microchip plant manager and his or her boss in the example above are both known to Intel.
Banks take a lot of care, through the know-your customer scheme (KYC), to make sure that they know who they are issuing credit cards to, and which merchants, such as Amazon, they authorise to take credit card payments.
By contrast, and this is where the paradigm is being stretched, IPS can have no idea who might be operating passport control at Catania airport, for example, and they cannot possibly vet every off licence in the country.
"The Identity Cards Act 2006 allows for certain NIR [National Identity Register] information to be provided, with a person’s consent, to an accredited organisation, for example a bank. This could be to confirm an ID cardholder’s identity when opening a new account. This may include information such as their address, which is not shown on the face of the card. IPS will be responsible for accrediting all such organisations to ensure they and their staff do not misuse these services. IPS will also put in place rigorous security controls so that only accredited organisations can use such services and only in the way intended" (para.42).
The dematerialised ID proposal sent to the Home Office in May 2003 includes a number of examples of how to use PKI with ID cards (para.6.2). These examples have been reviewed by academics both in the UK and abroad. A further example was added in September 2005 and circulated to a number of organisations, including the Home Office. In each case, the right of the person checking your identity to do so has to be established before the check can take place. The person is authenticated. This is how to use PKI properly.
IPS may or may not exert "rigorous security controls" over accredited organisations making identity checks online to the NIR. But what about offline checks? What control do IPS have over a supermarket checking your age by reading your ID card? None.
IPS are promising, in the quotation above, to control access to the NIR. They are not promising to control access to the personal data stored on your biometric passport or your ID card.
Not only have IPS not confirmed the identity of the checker. They do not even know that the check has taken place. This cannot possibly meet the requirements of CESG's authentication principle.
There have been newspaper articles in Wired magazine and in The Guardian newspaper showing that anyone with the right equipment can read the contents of a biometric passport, including a digital photograph of the bearer. The same story has been the subject of a TV documentary. We have all seen with our own eyes that there is no need to be accredited to read this data. No form of authentication takes place.
If fingerprints are added to biometric passports, perhaps they, too, will be accessible to anyone with the right equipment. The same biometrics would be stored on ID cards. Non-accredited people will be able to read these biometrics, which are a sub-set of what is stored on the NIR (para.22, para.65). So, in a way, non-accredited people are reading the NIR.
IPS may say that you have given your permission for the supermarket and the airport to perform these checks. That is not a convincing counter-argument. You have no choice but to give your permission.
It transpires from these media stories that the UK's new biometric passports include an RFID tag. That is one step on the way to making it possible for anyone to read data from your passport without authentication and without you even knowing it, let alone having given your permission. It hasn't happened yet, but we are one step closer. Why take the risk? Why include the RFID tag? No explanation has been given.
With a proper implementation of PKI, such as in dematerialised ID, there would be no offline identity checks. All checks would be authenticated. We have the wherewithal, with four mobile phone networks, to undertake all identity checks online to the NIR. That would ensure that only those who are properly authorised to do so could check our identities.
The biometrics in BCSL's PKI examples are all encrypted. Only authorised persons would be able to decrypt them. By contrast, the TV documentary referred to above revealed that the biometrics on our new passports are not encrypted. They can't be if you want to support the use of offline identity checks where would the non-accredited checkers get the key from to decrypt the biometrics? That is the surprising consequence of this particular implementation of PKI they're not even encrypting the message.
There are no doubts about the advisability of offline identity checks:
There is only one conclusion possible. There should be no offline identity checks.
Offline identity checks make a nonsense of the authentication principle of PKI.
The facility to perform offline identity checks should not be an objective of the biometric passport and ID card schemes.
IPS's objective should rather be to make offline checks impossible.
That applies to IPS and to all the agencies in other countries involved in the deployment of OSCIE-type ID voucher schemes.
The design of an appropriate ID voucher scheme follows simply. Set up a national network of fingercopy readers attached online to the NIR and then, whenever someone needs to prove their identity, all they need is their fingers.
There is no need for a card.
So how did cards insinuate themselves into the design? The only reason cards are needed is for offline identity checks, and offline identity checks are heavily contra-indicated.
It is the offline identity checks that we have to blame for the expensive and otherwise unnecessary introduction of ID cards.
CESG's confidentiality principle is concerned with "keeping information private". Your biometrics, stored on a passport or an ID card, cannot be read by a human being. They can only be read by a computer. And once they have been read, there is nothing to stop the computer from storing them, together with your name, your passport number, your ID card number, your PIN, your password and any other data, your date of birth, perhaps your address, and so on.
The effect is that you will be leaving your personal details behind, all neatly parcelled up and formatted according to published, international standards, at your expense, wherever you go, wherever you have your identity checked. These details will be stored all over the country and all over the world.
How many people realise this? It will be a big surprise to most people.
"To ensure confidentiality the central register check would simply confirm ‘yes’ or ‘no’ whether the details were correct ..." (para.5.29)
"The authentication service would have limited access to the central register. It would not have access to or be able to reveal any of the information stored on the central register, but it could give a ‘yes’ or ‘no’ answer to questions ..." (para.71, Annex 4)
"... the central register would simply confirm whether or not there was a match and the authentication service would merely pass on this ‘yes’ or ‘no’ to the person making the enquiry ..." (para.72, Annex 4, see also para.74 and para.77)
If the NIR responds with "yes", it confirms that something about you is the case. It does not "ensure confidentiality".
Again, IPS may be able to exert some control over what happens with this data in the case of accredited organisations making online identity checks. It would be impolite to suggest otherwise. But they can have no control over offline checks.
Offline checks make just as much of a nonsense of the confidentiality principle of PKI as they do of the authentication principle. IPS are offering confidentiality which they cannot possibly deliver.
This data, by the government's own admission indeed, this is the unique selling point of the biometric passport and ID card schemes is supposed to be the most fundamental data possible, required to identify you.
For the moment, luckily, while the only biometric on a UK passport is based on facial geometry, no harm is done, apart from taxpayers' money being wasted. Biometrics based on facial geometry are useless.
In future, if fingercopies are added to biometric passports and ID cards, 20% of people will still be lucky. They cannot be identified by their fingercopies. But 80% of people will not be so lucky.
This data is not like a password. You can change a password. It is not like a credit card. You can always get a new credit card. It is your biometrics. You cannot change your biometrics. You only get one chance.
It is hard to see how this could possibly meet CESG's confidentiality requirements.
The two paradigms have crashed into each other. 80% of people will be revealing fundamental data about themselves to all and sundry and leaving perfect copies of it all over the place.
BCSL has compiled a list of 45 media stories about ID theft. Between them, they amount to a useful primer on the subject. It will be clear from the primer that there are genuine and widespread risks involved in leaving your identity data behind you wherever you go. This is not a theoretical problem which may never occur. It occurs all day every day and now, quite unnecessarily, we are being asked to increase the risk.
At the moment, ID thieves have to hope that a bank will leave its records in the street to get information about you. Or they have to go through your rubbish, or go to India, or hack into the JobCentre or Network Rail personnel databases, or go to an underpass in Bradford, or bribe a postman.
In future, in addition to all these sources, they will also be able to get your personal details from crooked members of the Registrar's Dept in hospitals, GP surgeries, schools and universities, or from crooked database managers at airports, pubs, off licences, tobacconists, supermarkets, banks, insurance companies, police stations, law courts, prisons, and so on. The job is being made easier for them by the biometric passport and ID card schemes.
The banks have got the rate of plastic card fraud down from 0.33% of turnover in 1991 to just 0.15% in 2005. The incidence of plastic card fraud is low and getting lower thanks to the hard work done by the banks. If anything, the biometric passport and ID card schemes are likely to reverse that trend and undo all that good work.
What, then, is the government's stance on confidentiality? They are considering whether it might be appropriate to make money by selling the personal data they require us by law to give them in confidence
In view of the points made above, to do with authentication and confidentiality, the question arises why IPS should bother with an accreditation system at all.
Several answers suggest themselves.
One of them is that enquiry information is useful. If a company which operates in the leisure, tourism, hotel and catering sectors makes few identity check enquiries, then they are probably not being very careful to employ only people who are legally entitled to work in the UK.
Another suggested answer is that it makes it possible for IPS to charge for fielding enquiries. Will they charge? They may well do. Accreditation will not help to keep our personal data confidential, as we have seen, but it could make it easier for the government to charge people for performing identity checks.
Will they use people's personal data as a revenue stream? They may do. And not just by charging for enquiries. According to the Home Office's Section 37 cost report:
"... There is scope to look at ways in which a national identity management system could provide services to other organisations on a commercial basis ... The scope for collaboration between public and private sector to ensure secure identity, simpler and better service for customers and harness the best technology is being explored by the Public/Private Forum chaired by Sir James Crosby which was set up by the Chancellor and will report in April 2007" (p.8).
There is an obvious logical discrepancy, given that PKI means keeping data confidential, in even considering selling it. It is an odd way to go about keeping information confidential, to sell it. Once you have sold it, how do you ensure that it remains confidential?
Why would the government consider selling our personal data? It cannot be to "ensure secure identity". Selling it impugns security by spreading our personal identity details around. There must be some other reason
The context of the quotation above is this:
"The fact that people will have a secure way of proving their identity could drive major benefits for the private sector and other organisations too. In other countries the private sector is already exploiting the use of biometric identification. For example, companies in the US and Japan are already using biometric verification systems in retail and banking, allowing their customers to use their biometric identity as a quick way of paying for goods and services. There is scope to look at ways in which a national identity management system could provide services to other organisations on a commercial basis ..." (p.8)
There are some obvious problems with these assertions:
There is a bigger problem.
Consider the Section 37 report in its entirety. It is meant to be a cost report. It isn't. It wouldn't pass GCSE Business Studies as an example of a cost report. What it is, is a marketing document, extolling the benefits of the ID card scheme. In particular, the government is trying to insert the ID cards scheme into the UK's payments systems.
The marketing is beginning to work. There are people who believe that the ID card is a payment card, or at least there is one person:
"So the government will know everytime I go to the bank, purchase food, take out money, see my doctor etc. One day sometime soon , if you oppose the government or annoy some bureaucrat your card is cancelled and you become a non-person. It's no wonder the government mouthpiece, the BBC, has never repeated '1990' which predicted this nightmare 20 years ago." (Comments on the Prime Minister's Daily Telegraph article, November 6, 2006 6:55 AM)
As things stand, this comment could not be more wrong. The ID card is not a payment card. It is not like a charge card, or a debit card, or a credit card, or a cheque guarantee card, or a cash withdrawl card. The ID card is separate from all these other cards and irrelevant to payments in general.
And that is the problem which faces the government.
As long as this continues to be the situation, the daily irrelevance of the ID cards scheme is embarrassingly clear.
Only if ID cards are inserted somehow into the UK payments systems would they become relevant, only then might the huge expenditure appear to be justified, only then would the government appear to have a rôle.
That is why what was meant to be a cost report was converted into a marketing document instead.
Would it work? No. It is up to the banks to establish the identity of their accountholders. That is what the accountholders and the banks' shareholders expect. The banks would be taking a risk if they abdicated their responsibility to establish people's identity. There is no business case for taking this risk.
Would the government underwrite their ID cards? Suppose that they did. It wouldn't help. When an ID card turns out to identify someone wrongly, and that person perpetrates a fraud, then the government would pay compensation to the bank. What would they pay it with? Tax money. Tax paid by the bank and by its shareholders and by its accountholders. We would all be paying ourselves compensation for the mistake made by someone we were also paying not to make mistakes.
If the banks wish to introduce biometrics into the payments systems and they can make the case to their shareholders and to their accountholders, then well and good, let them experiment. They will have to be able to prove first that:
Maybe they can. But it is not their job to legitimise a government initiative which is full of holes. That is not their mission statement. That is not what the shareholders or the accountholders pay for.
No-one has demonstrated yet that they can forge a biometric passport. They can copy the data but they cannot change it.
They haven't had long. Given time, it may well be possible to forge passports.
Professor Thomas warns that "... no card based chip has yet proved to be completely unable to be broken open," as noted above.
Professor Anderson describes a number of the techniques for breaking the security on smart cards in his book (chapter 14).
And Cambridge Algorithmica warn that:
"Smart cards are vulnerable to forgery; excessive reliance should not be placed on them. Despite the best efforts of card manufacturers, it will eventually be possible to access the data content and reverse engineer any smart card ... forged cards can then be produced. Though this will be at a price, it will not be beyond the means of organised crime. Cryptographic techniques do give further protection; however, practical constraints make on-card encrypted information more vulnerable than encrypted information transmitted over communications networks".
These three experts do not seem to be confident that the integrity of data stored on biometric passports and ID cards would last for long.
The government do not seem to be confident either. Why else would they threaten to fine us £1,000 if we fail to return our mother's ID card when she dies? (See Comment, December 24, 2006 10:56 AM, 'A tax on the absent-minded', The Sunday Telegraph)
"It is assumed that data stored on the ID Card would be encrypted, using a trapdoor encryption algorithm. The same key (or a modest number through some key compartmentation scheme) is used for every card; breaking the key creates a widespread vulnerability that is very expensive to overcome. For an encrypted communications system, each link can use a different key and keys can be changed frequently; thus, if there is compromise of a crypto key, damage is much more limited. The cryptographic strength is less, for trapdoor encryption algorithms".
That seems to imply another benefit of basing ID voucher schemes on mobile phones rather than smart cards. PKI implemented in a mobile phone-based scheme might get us back to the 12m times the age of the universe end of the spectrum and away from the forged set-top box ID cards end.
There is no reassurance on this matter in the Home Office's strategic action plan. There needs to be. Computerised systems do fail. BCSL has compiled a list of 11 failures, including particularly relevant cases of fingerprint systems failing in the UK and the US, UK passport systems failing and US identity management systems failing. There is also a worrying example of UK medical systems failing.
These are questions you might expect to see addressed in a document which calls itself "strategic". They are not.
A fraud has been committed against DWP, the Department for Work and Pensions. Someone impersonating you has drawn your money. That is what the conclusion would be, as things stand at the moment. But not if PKI is implemented.
With PKI, you get something called "non-repudiation". CESG's non-repudiation principle requires that "the individual who undertook the transaction cannot subsequently deny it". As a result, the fraud will have been perpetrated against you, not DWP, you cannot repudiate the transaction, the money drawn out has been digitally signed for, apparently using your ID card, you have no recourse.
There could be any number of explanations, involving perhaps a malicious member of staff in the registrar's office at your son's university stealing your ID card details, or a malicious member of staff at IPS suplying your details to a forger, or supplying a copy of your card to an accomplice. All these explanations are irrelevant under PKI. There is nothing to debate. You can try to draw your benefit money next week and start eating again then but this week's money is gone.
That is what "non-repudiation" means and it is surely too extreme. We may want PKI implemented properly in respect of integrity, authentication, availability and confidentiality. We are unlikely to want PKI to include non-repudiation. Why would we pay, and queue up, to transfer the liability for fraud, from others, to ourselves?
Is this just a theoretical matter, the consequence of a mathematical theorem with no relevance outside ivory towers? No. There is a debate in the UK at the moment (January 2007) between the credit card companies and retailers about liability. The credit card companies have been arguing that the PKI link between them and the retailers implies that it is the retailers who should bear the cost of fraudulent card usage, not the banks. Visa are believed to have backed down. MasterCard are still arguing.
Dematerialised ID implies that IPS would make the small move required to issue digital certificates, instead of material ones, and to distribute and revoke them by calling people's mobile phones, rather than using the post. Otherwise their registration, certification and revocation responsibilities under dematerialised ID remain much the same as they have always been.
PKI has been around long enough for there to be standards to measure security assurance – ISO 15408 and FIPS 140, for example. IPS are not a PKI trusted third party ex officio. That status has to be earned in the first place and it requires continued vigilance to retain it.
Our review of the government's implementation of PKI is based on very little information about their intentions. That is hardly surprising. It has taken them years to mention PKI at all and, even now, they have provided very few details as to how identity will be verified and what data will be stored on the ID card.
All UK central government communications are encrypted and authenticated by PKI. Digital certificates are issued to government departments and individuals in a hierarchical system with the root certificate being managed by GCHQ. GCHQ includes CESG, its information assurance arm, which devises PKIs, advises on their implementation and performs security/information assurance evaluation.
It would be obtuse not to take advantage of GCHQ's experience in the implementation of PKI for biometric passports and ID cards. But the questions raised in this section about authentication, confidentiality, integrity and availability suggest that GCHQ cannot have been involved.
The question arises, therefore, whether IPS will submit to inspection, to measure its level of security assurance. If it will, it may learn something about best practice. And it would contribute to the sense of trust that people have in its operations.