Government cools on PKI

By Matt Whipp

Posted on 13 Dec 2002 at 12:54

Failing PKI industry isn't growing fast enough to meet 2005 deadline.

At the Internet Goes Public Conference in London yesterday, Steven Marsh, director of security policy at the Office of the e-Envoy, told the public sector audience that the government's commitment to Public Key Infrastructure (PKI) for authentication to its online services is in no way exclusive.

He said that industry just hasn't grown in the way people thought it would five years ago. The government is now actively looking at possibly renting out alternative but existing commercial technologies for authentication, and has announced a consultation on what he called the 'market failure', of authentication services.

'Rather than just saying "yes, we'll use PKI", we're looking for mechanisms that will work not just for the public sector, but in the private sector as well.... We're looking at alternative models where government would pay for its reliance upon these credentials, rather than demanding that the individual goes out and buys another service,' he said.

'There are already lots of groups who are already well known. For example, if you're dealing online with a bank, [it has] been through the money laundering regulations, the bank knows who you are, certainly well enough for most of the transactions that will happen in the public sector. So why can't we work with the bank to say: "offer your customers access to government services as well"?', he said.

He said that incorporating digital signatures to authenticate access to government online services would only add to their complexity, and to the problem of poor public take-up of those services.

'If I'm going to take a paper form, I can just sign the form with a ballpoint pen. Why should I go down to the high street with a sheaf of documents and a passport to get some sort of electronic credential which would allow me to do that online?' he asked. 'We still believe that digital signatures is an underlying mechanism for secure transactions, but we're looking at a variety of different technologies that will make that whole process easier.'

Using existing commercial alternatives will also make it easier for the government to deliver its online services on time for the 2005 deadline, rather than having to implement new authentication technologies as needed.