Digital Certificates for Government Services? (Pah)

This evening I was looking into the online services offered by the Inland Revenue as I believe I may have to file a tax return this year. I hoped I’d be able to do it online. As it happens this is possible, via the standard username and password combination.

More intriguing was a link to login using a digital certificate; a potentially far more secure authentication method than a username/password pair.

A digital certificate is a pair of keys, one of which is private and one public. The private key must be kept secret by the person who is identified by the certificate. The public key can be freely shared with others.

The public key can be used in two ways:

	1. it can decrypt a message which was encrypted by the private key. As only the corresponding public key can decrypt messages encrypted by the private key, this shows a message must have been encrypted by the individual who holds the private key;
	1. the public key can be used to encrypt a message such that the private key is the only way to decrypt it. This means a message can be encrypted which only the recipient can read (as only they hold the private key needed to decrypt it).

These two uses show why the private key must be kept secret: if the private key is exposed to others than the individual it is registered to, others may pretend to be that individual or read messages intended only for that individual.

In addition the uses demonstrate a certificate must only be issued once the individual requesting it has been authenticated; that is, it has been checked they are who they claim to be. Otherwise, again, it is possible to impersonate an individual by purchasing a certificate which purports to be for the individual.

In a perfect world, the public/private key system is very secure; in a world of perfectly hidden private keys and rigorously verified identities. There are many cogs in the system, both computer and human, which must act correctly for this to be the case. Carl Ellison and Bruce Schneier have written about the risks inherent in seeing this system as a silver bullet in Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure. Some of the problems in the essay can be overcome, but it provides a framework to critically examine a service.

To register to use a digital certificate first requires you to leave the Inland Revenue’s site and visit the Government Gateway, a site bearing more than passing resemblance to those scammy “search” sites you often encounter when mistyping a URL; my quest was starting badly.

Venturing further in my search, I came across three problems with the certificate service offered.

First black mark: the certificate you can purchase for use with government services will only work with Internet Explorer on Windows (amusingly the combination most likely to be infected to the gills with malware, so being least secure for filing any sensitive data).

“Other certificate providers may be added to the Gateway later”, the Government Gateway page states, noncommittally (emphasis mine). With no indication of date, this page could have stated this for years, and probably has. One of the governments approved supplier claims to support Netscape Navigator, but it looks like you can’t log in to the Gateway using a certificate installed in Navigator. No mention of Firefox or Safari.

Second black mark: the providers’ sites seem to be covered in cobwebs. The Equifax site contains details of how to use Outlook 98 with your certificate, whilst the most recent news on the BCC’s certificate scheme page is from 2004. Such lack of attention doesn’t bode well for the quality of service provided.

Third black mark: Equifax boast their service requires no documentation be sent to them (or taken to a trusted party) for identity checking of the applicant, instead relying on credit record data. Given the amount of fraudulent bank transactions supposedly happening each day, it may not be hard to find this data out illegitimately; meaning the applicant identity verification may not be as rigorous as is possible. This is Ellison and Schneier’s risk eight.

These problems mean I personally wouldn’t have trust in the certification process offered. So ends my interest in digital certificates for filing online tax returns and so comes a resignation I will need another username and password pair.

Disappointment is present.

.:.