hngopher.com

       [HN Gopher] Single sign-on and identity for government services:...
       ___________________________________________________________________
        
       Single sign-on and identity for government services: What we've
       learned so far
        
       Author : open-source-ux
       Score  : 28 points
       Date   : 2021-10-19 21:57 UTC (1 hours ago)
        
 (HTM) web link (gds.blog.gov.uk)
 (TXT) w3m dump (gds.blog.gov.uk)
        
       | jiveturkey wrote:
       | Interesting. This is more about capital-I Identity than about
       | SSO.
        
       | tialaramex wrote:
       | Reading documents like passports with an NFC reader does indeed
       | work, and does indeed produce verifiable material. Specifically
       | the passport has proof (via a digital signature) that it was
       | issued by a specific authority, and in turn, proof that the
       | contents of the passport (name, date of birth, a picture and so
       | on) are as issued.
       | 
       | But, the problem here is that the issuer is the British
       | government, so, what are you proving? "Here, you issued this
       | passport". "Oh yes, so we did". I presume the British government
       | does _own_ a database of the passports they issued, so this isn
       | 't news to them.
       | 
       | A modestly smart device, such as a Yubico device, is capable of
       | providing fresh proof of its identity. My Security Key doesn't
       | prove "The security key that enrolled me with GitHub in fact
       | exists" which is redundant - but "I am still the same security
       | key that you enrolled". However the passport can't do that, your
       | passport is inert, and the fact that Sarah Smith existed isn't
       | the thing you presumably want to prove to a single-sign-on
       | service. You want to prove that you _are_ Sarah Smith, something
       | the passport doesn 't really do.
       | 
       | I think the GDS ignores this problem, which is to be fair no
       | worse than lots of other systems, but the result isn't actually
       | what it seems to be, all the digital technology isn't actually
       | proving anybody's identity in this space.
       | 
       | It reminds me of the bad old days of the Web PKI where it was
       | found that the "email validation" being used would accept
       | automated "virus checking" of email. A CA sends the "Are you sure
       | you want to issue a cert for mycorp.example?" message to
       | somebody@mycorp.example and even though Somebody is on vacation
       | in Barbados for two weeks, the automatic "virus" check reads the
       | URL out of the email, follows it, ignores the page saying
       | "Success, your certificate has been issued" and passes it to
       | Somebody's inbox... All the "security" is doing what it was
       | designed to do, but, what it was designed to do isn't what it
       | _should_ have been designed to do, and so it 's futile.
        
         | jimvdv wrote:
         | The way it works in my country is: you install an app that uses
         | your passports NFC chip to verify your identity. Then gov web
         | services or verified third parties (like private insurance) can
         | use what looks like (I did not dig in the details) a fairly
         | standard OAuth flow.
        
         | advisedwang wrote:
         | Scanning the passport:
         | 
         | 1. Verifies that you _have_ the passport
         | 
         | 2. Provides biometric info
         | 
         | Of course neither of these are a 100% guarantee of identity.
         | (1) doesn't account for stolen or lost documents. (2) is only
         | useful if the app doing verification is tamperproof and the
         | camera isn't fooled by holding up a photo of you etc. However
         | _nothing_ is a 100% guarantee. These steps, plus any other
         | verification that's going on, can make it very hard to fake ID,
         | which is all we are really able to hope for with these systems.
        
         | Muromec wrote:
         | >But, the problem here is that the issuer is the British
         | government, so, what are you proving? "Here, you issued this
         | passport". "Oh yes, so we did". I presume the British
         | government does own a database of the passports they issued, so
         | this isn't news to them.
         | 
         | It's a (weak) proof of ownership of such passport -- it has to
         | be present to be read.
         | 
         | Some id cards can also function as smartcards and provide kind
         | of challenge-response proof, which is better compared to
         | reading signed document (which can turn out to be a copy).
         | 
         | >I presume the British government does own a database of the
         | passports they issued, so this isn't news to them.
         | 
         | Actually maybe the don't.
        
       ___________________________________________________________________
       (page generated 2021-10-19 23:00 UTC)