No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
A week ago we learnt that people with a German electronic ID are now able to use it to log on to HMRC:
This has been on the cards, so to speak, for over 10 years now, ever since the inception of the European Union's
Project STORK. German students studying at UK universities should be able to access UK public services while they're over here using trusted German identity assurance. Ditto UK students in Germany. And not just Germany and the UK, any EU citizens in any EU country.
Over the years, Project STORK became
eIDAS, EU Regulation 910/2014. The German
Federal Office for Information Security jumped through all the eIDAS hoops to "notify" their
Ausweis identity assurance scheme, it's passed all the tests and, as noted in the Martin Jordan tweet above, Her Majesty's Revenue and Customs now have to accept
Ausweis identities.
That's the theory.
In practice, this is the response a German currently gets:
That's the way to do it.
"Something went wrong".
It certainly did.
But where?
Germany? HMRC?
Apparently not. The error message is branded GOV.UK Verify (RIP). Their logo. Their problem.
Speaking of which, GOV.UK Verify (RIP) has been put up for eIDAS membership. It's been "pre-notified" in the lingo:
Will it be as successful as the Germans'
Ausweis? Will it be deemed to provide a low level of assurance that the owner of the GOV.UK Verify (RIP) identity is who they say they are? Or a substantial level of assurance or even a high one?
Our EU partners will not be impressed at the rejection of GOV.UK Verify (RIP) by
HMRC, DWP (
para.3.21), the
NHS,
Scotland,
UK local government and others. Nor will they be mollified when they see US NIST's opinion that GOV.UK Verify (RIP) provides nothing better than
self-certification.
It's all about trust, and what are our partners supposed to make of the fact that the Post Office are treated as an "identity provider" (IDP) even though
they're not certified by tScheme? It looks underhand making people think they're dealing with the Post Office when really all the identity proofing work is carried out behind the scenes by Digidentity. It undermines trust.
Has GOV.UK Verify (RIP) been pre-notified by the Government Digital Service? That would seem strange:
- Partly because it is the Department for Digital Culture Media and Sport that has responsibility for the digital economy and for identity policy, not GDS.
- And partly because it has recently been announced that the UK government will cease funding GOV.UK Verify (RIP) in 18 months' time.
Who will underwrite GOV.UK Verify (RIP) identities after that?
No-one knows. Certainly not the 27 other members of the EU.
As things stand, the probability of GOV.UK Verify (RIP) getting through the eIDAS vetting procedure is not high, not substantial but, if it's lucky, maybe low. Low-to-non-existent.
That's the way to do it.
----------
Updated 23:52Our European partners may recall that early last month the UK's Infrastructure and Projects Authority recommended that GOV.UK Verify (RIP) be
terminated. That's the same GOV.UK Verify (RIP) that we're trying to get approved for use in eIDAS, please see above.
Not confidence-inspiring.
Reality bites. But instead of terminating the scheme, the Senior Responsible Owner is
abandoning ship and GDS are
letting go of the controls and
handing it over to the private sector. Perhaps the private sector will prove better at terminating it.
Not confidence-inspiring.
GOV.UK Verify (RIP) boasted seven "identity providers" until recently – Barclays Bank, CitizenSafe/GB Group plc, Digidentity, Experian, the Post Office, the Royal Mail and SecureIdentity/Morpho.
During the handover to the private sector two of those "identity providers" are dropping out – CitizenSafe/GB Group plc and the Royal Mail.
In reality, the Royal Mail was never a true "identity provider", they just provided a
call centre service and all the identity proofing and verification work done in its name was really conducted behind the scenes by CitizenSafe/GB Group plc, another example of GDS's duplicity like the Post Office/Digidentity charade, please see above.
Not confidence-inspiring.
What happens to all the
personal information that the Royal Mail and CitizenSafe/GB Group plc amassed while they were still operational? Them and their
subsidiaries and partners and contractors? Where's the information gone now? What control do we citizens have over our own personal information? What happens when GDS and DCMS are no longer involved?
Come to that, what's happened to all the personal information
Verizon amassed while they were an "identity provider"?
Even for the continuing "identity providers" – Barclays Bank, Digidentity, Experian, the Post Office and SecureIdentity/Morpho – GOV.UK Verify (RIP) doesn't abide by a single one of the
identity assurance principles that are meant to govern it.
Not confidence-inspiring.
GDS never answer questions posed by us, the public. Maybe they'll answer the eIDAS authorities.
Updated 18.10.18Certification of the GOV.UK Verify (RIP) services supplied by "identity providers" is carried out by
tScheme. The summary of their certification has now been
updated.
The Post Office is most notable as the only "identity provider" to have no tScheme approval whatever.
None of the "identity providers" is certified by tScheme as having any expertise with digital certificates – something of a gap
vis-à-vis eIDAS, which is all about trust services.