No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
Here's a selection of GDS posts and a film in the week leading up to purdah:
Janet Hughes and Stephen Dunn
Martha Lane Fox
If there's a tricky job facing the Government Digital Service (GDS), or indeed an impossible job, what do they do? Call for Janet Hughes.
Let's take a look at her 25 March 2015 offering, GOV.UK Verify and Mydex CIC.
As we were saying, GDS have managed to appoint nine "identity providers" for the second phase of the GOV.UK Verify (RIP) obsequies.
Mydex Data Services Community Interest Company "will continue to work with the Identity Assurance Programme", Ms Hughes tells us. They will work not only on IDA but also with "the government more broadly". They will work "on the policy and delivery areas within specific areas of [their] expertise around verified attribute exchange and consent management for data sharing".
She goes on to say that Mydex have been "an important partner for GOV.UK Verify ... that partnership is ongoing and they are already an approved G-Cloud 6 supplier for their live ISO27001 certified services". Chris Ferguson, Director of the Identity Assurance Programme, is quoted as saying: "Mydex CIC has made a fantastic contribution to the development of GOV.UK Verify and we’ve greatly benefited from their input. We look forward to continuing to work with them through the OIX forum".
There's more where that came from: "Mydex CIC goals for citizens – the community they serve – remain aligned with HMG policy on respecting privacy and offering consent driven identity assurance and data sharing".
And more, but you get the picture – it's hard to overstate how marvellous Mydex are. The only thing is:
Mydex CIC will not be a certified company in the next framework for identity providers.
No explanation is advanced. Did GDS refuse to have Mydex on board? Did Mydex refuse to join? We have no idea and there's no point guessing.
Mydex will not be "identity providers" to GOV.UK Verify (RIP) but Digidentity will. So will GB Group. And Morpho. How come? Why them, and not Mydex?
Ms Hughes's post is extraordinary. Nothing similar was written when Cassidian pulled out of the first framework agreement. Nor Ingeus. Nor PayPal. They're not worth memorialising but Mydex are? Why? And nothing similar has been written for all the organisations which applied to join the second framework and then didn't. Just Mydex. Why?
Why bother to write anything at all about Mydex not becoming an "identity provider"? Why bring attention to the matter? Who cares?
Clearly someone cares, for some reason, and that someone thinks that the non-appointment of Mydex needs to be written about. But who could possibly do the job? Only Janet Hughes. And she's succeeded. The perfect result has been achieved. The non-appointment has been documented and yet no-one (other than DMossEsq) is asking any questions in public. Well done, Janet.
The DMossEsq position, incidentally, is that it is commercially reckless for any organisation to get into the GOV.UK Verify (RIP) bed with GDS. In which case this is a good result for Mydex ...
... and a rotten result for the nine "identity providers" that have been appointed. They will look back with envy at Mydex's timely escape.
@CyberSecKent It certainly does, apologies for omitting.