e-Envoy's office defends Windows-only portal – climb down begins?

Commissioning open source research, will consider alternatives - they're wobbling...


The Office of the e-Envoy is hotly - but not very convincingly - disputing claims that the Microsoft-built UK government portal, gateway.gov.uk, constitutes a Microsoft tax. The authentication systems used for the portal, which is intended to form the cornerstone of the Blair government's plan to get 100 per cent of its services online by 2005, means that you need to be running a combination of IE and Windows to be able to use all the services.

In response to what seems to be a barrage of irate emails directed at e-Envoy Andrew Pinder, one Keith Roberts of the Office of the e-Envoy has been sending out a detailed explanation of the current situation. In, we kid you not, Microsoft Word format. (We've got four of these already now peeps, by the way, so thanks, but you can stop sending them.)

The document is authored by one John Wailing, the luckless individual whose email address (john.wailing@cabinet-office.x.gsi.gov.uk) Roberts is giving out for further queries. But the system seems to be standard - just remember it's Keith A Roberts.

Wailing's explanation more or less confirms what Linuxuser says on the subject. The system requires HTTPS with 128-bit or better encryption, and this bit is a doddle for everybody. But it's the next stage where the problems kick in. "This guarantees the confidentially of the process and enables the client to verify that they are communicating with the Government Gateway. But, it provides no authentication of the client to the Gateway."

So this is done either by a password of the user's choosing, or via a digital certificate. "The second method is preferred (and required for some transactions) but is dependent on the client having commercially available PKI software already installed and the user obtaining an X.509 certificate. Currently, we only have arrangements with ChamberSign and Equifax. The Entrust and Equifax software equates to tScheme level 2."

At this juncture you might begin to wonder whether the limitation mightn't be - effectively - self-imposed. Compelling the use of certificate-based authentication for some services, probably all of the more important ones, when the scope of certificate-based systems is still limited, and further constrained by the government's choice of suppliers, could be said to be a little weird.

But here comes another constraint that you might just consider to be a smoking pistol. Microsoft is committed to standards, right, and .NET is all about XML, which is a standard. Not only that, but as Microsoft says in its announcement of the deal with uk.gov, "the Government Gateway, the new Microsoft .NET Enterprise Server solution is an XML-based portal..." So as far as MS is concerned, the Government Gateway is a Microsoft .NET service.

The Microsoft strategy for XML and numerous other cutting edge standards is to be ahead of the curve, so the company implements standards that maybe aren't quite general standards yet, and its rivals come panting along behind. The authentication for gateway.gov.uk operates as follows: the Gateway requests that an XML object be signed. It "delivers an XML object to the client together with a signed Java applet and some JavaScript. The Java applet adds some envelope information to the XML object and then uses the API provided by the PKI commercial package supplier to get the object signed. The applet then posts the object back to the gateway."

According to Wailing, two constraints follow from this. First, "although standards are followed in that Java applets are signed with X.509 certificates, the mechanism used to package and sign the applets is proprietary. For example, Microsoft use a cab file and sign it using MS Authenticode whereas Netscape use a jar file and sign it with NS Object signing technology. Consequently, separately packaged applets have to be created for each browser and each package has to be signed with a separate certificate (from Entrust).

"The second difficulty is the availability of packages to manage certificates on platforms other that Microsoft Windows. Such packages also need to support APIs that can be called by Java applets."

So there you go, having chosen a system and an implementation that is currently skewed towards Microsoft, the Government Gateway only supports, er, Microsoft properly. But at this point Wailing's document seems to start to move into climb-down mode. "The issue is not about being vendor neutral; rather it is a problem with the way standards are implemented by vendors and a lack of offerings to manage digital certificates.

"Other browsers (running under Windows, Unix or Linux) can provide the required SSL connectivity but the ability to manage certificates on open source platforms needs investigating. The Office of the e-Envoy will be funding some activity by the open source community to address this issue. [our emphasis, but note that there was considerable open source knowledge and expertise within the government prior to the e-Envoy's arrival on the scene - what has he done with it?]

"The security model described above met the design objectives but if alternatives are proposed, they will be considered." [our emphasis again] Pounce now, and maybe it's an open goal.

On the subject of security models, it's currently at least arguable that there is a trend away from PKI-based systems and towards more accessible (and traditional) username/password systems. Several Register readers in New Zealand have drawn our attention to a similar project carried out for the New Zealand Inland Revenue by EDS*. This replaced a universally accessible system with a certificate-based one that locked out Macs. After much furore this was dumped in July of last year in favour of 128-bit encryption and username/password login. As a Revenue spokesman said, "Digital certificates are all lovely and wonderful but we've discovered that it can have a lot of issues for the user."

So is the Government Gateway's authenticatrion system the shape of things to go? ®

* It has been claimed to us that although Microsoft and Dell have loudly claimed credit for the UK Gateway, it's actually EDS that's doing a lot of the work. If this is the case, we'd advise them to shut up about it and let the other two cop all the crap instead.

Related Stories

Opera to challenge e-envoy over UK govt 'Windows tax'
MS-built UK 'Government Gateway' locks out non-MS browsers

Linuxuser investigation

microsoft.gov.ok?

A thorough IDG investigation of the New Zealand case

Some of our Mac support is missing
Incoming...
Let's not do it after all then


Other stories you might like

  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Using a Pi to process sensor readings and manage motors has been a thing since the inception of the computer, and users (including ourselves) have long made use of the General Purpose Input / Output (GPIO) pins that have been a feature of the hardware for all manner of projects.

    However, not all users are entirely happy with breadboards and jumpers. Lego, familiar to many a builder thanks to lines such as its Mindstorms range, recently introduced the Education SPIKE Prime set, aimed at the classroom.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2021