Drew's Blog. The dots in .co.uk

Drew Wagar's Weblog.

Thursday April 06, 2006

So it's a voluntary ID Card then...

Fascinating to see that the ID Card has finally made it onto the statute books...

More interesting is the government's definition of the word 'Voluntary'. If you were reading this story you wouldn't believe it, truth really is stranger than fiction.

I don't have to have an ID Card though, which is nice, however, if I plan to holiday overseas I'll be signed up for one anyway. Right.

In analysis, then, unless you are a conscientious objector, your info is going on the NIR, regardless. I can't see many of the great British public choosing not to renew their passports. (ID Card brings down Ryanair ;-)

Of course, you could renew your passport before 2008, when the NIR is supposed to be switched on. But they've thought of that. ;-) So, if it's going to happen, what do we have to be concerned about? Are ID Cards really that bad?

Well, IMHO, the card is a bit of a red herring. It's the NIR that's the issue, the so called 'Central Database'. Most of the scare mongering around this has been the idea that there will be a 'Central Database' with all of your info in it. Most people are talking about this as if somebody is going to set up one big database (choose your favourite - SQL Server, Oracle, Sybase, etc) on a huge big machine somewhere. This is kind of easy to imagine and get your head around, and it's described as such in the bill, but it's not going to be a technical reality. The 'central' database invisioned in this bill is really going to be a huge collection of separate databases, interlinked in various ways by keys, encryption, hashing and joins. There isn't going to be a www.bigcentraldatabase.gov.uk for the hackers to hit.

Of course, that's not to say that the 'central' database won't be a target, it will. What the next step is is what does the information architecture for what needs to be stored look like? Is it virtualised, how are different systems cross referenced, what divisions of data, management and storage need to be designed? How will information be compartmentalised? Questions, questions.

It might also be handy if somebody could explain exactly what this information will be used for, and how it might benefit Joe Bloggs who is going to asked to stump up £80 or so for it, when a passport or driving licence happily identified most of us quite nicely. This assumes that the ID Card won't be helping with online authentication. As I write this PKIs are not in scope for the card; but this is subject to change without notice... ;-)

It's kinda of inevitable that this system is going to happen now, (though whether it stays once it's implemented is up for debate though), but the design of the NIR is the next big thing. I want to be pretty much convinced the NIR design is a good one, otherwise I'll just have to be 'a fool' as Mr. Clarke would tactfully put it...

( Apr 06 2006, 01:04:18 PM BST / Apr 06 2006, 12:54:58 PM BST ) Permalink Comments [1]
Trackback: http://blogs.sun.com/Drew/entry/so_it_s_a_voluntary

Monday December 12, 2005

Are you feeling secure now?

Well it's good to see the government seem to be waking up to the fact that the Identity Card *might* be able to combat online fraud, and well done to the Register's John Lettuce for restoring my faith (atleast to an extent) in their analysis.

Apparently the government are looking at secure remote authentication because you'll need this to identity yourself online, apparently PIN numbers just aren't good enough. Insert comedic phrase relating to biological excretions and the fictional inhabitant of 22b Baker Street.

Disappointing to note they still seem to think that biometrics are an 'access' technology, rather than the simple 'authentication' technology they really represent. Anyone, how are biometrics going to be checked online? Can't see every one buying a biometric scanner for their PC, on top of the cost of this card, can you?

Nor can I see the 'one time password' stuff working. It's ok for limited deployments, but the cost for a NID card sized deployment means it shouldn't be on the drawing board.

Now, we've been thinking about this problem of course, and I reckon we've cracked it...

Ah, but Drew, (says my devils advocate) your solution with PKI authentication enabled smart cards requires a smart card reader on every PC doesn't it?

Well, sort of..., ok yes. But it's not as bad as you think, because we're using the new JCOP41 smart cards. These are Java enabled smart cards with a built in USB interface. In practice all that means is that the card can be wired to an USB hub directly, meaning no complex smart card reader. Stuff that could be built into a PC or given away for pennies. A strong smart card, with secure remote authentication, that doesn't cost very much to deploy and run? Now that's using your head. Entire-ID.

( Dec 12 2005, 05:19:32 PM GMT / Dec 12 2005, 05:19:32 PM GMT ) Permalink Comments [1]
Trackback: http://blogs.sun.com/Drew/entry/are_you_feeling_secure_now

Thursday December 01, 2005

Entire-ID : Launching today!

I've been dropping enough hints about this for the past few weeks, and since we're about to go public with it (infact it just went live on the main Sun UK site as we speak - direct link here!), I think it's about time that you all got a low down on the monster that has been consuming my time for the last few months. (Other than the normal day job of course!)

Here it is...ta da!

So what is Entire ID? Well, it's a pre-integrated and pre-tested system designed to provide the complete backbone infrastructure of an Identity control system. I will introduce it today and then go through some of the details section by section in future entries.

The first issue it addresses is 'Registration'. How do you strongly associate an individual (citizen, employee, user or customer) with an electronic credential? Consider, if you can't guarantee the authenticity of the users who sign up to your system, any security you apply down the road is meaningless regardless of how good it is. Registration is key... and talking of 'keys', the (ahem) key output of the registration process is a digital certificate strongly bound to a registree. We also force the registration process itself to comply with E-Gov level 3 (Beyond reasonable doubt) legal requirements along with a whole bunch of other UK and EU legislation.

Next up is provisioning. Once we've got a user, we need to propogate and manage that user across all the systems and services they need to access. We need to do this in a way that is easy to manage, scalable and compatible with a huge variety of technologies. We also need to 'provision' the user with a Card...

Which brings us to Card Management. That digital certificate needs to be managed and placed on a card automatically (along with optional stuff like biometrics, photo/images and data). We also need to manage issuance, renewal, lost/stolen process etc etc...

We also need to use that card. Thus we provide authentication and authorisation services against that digital certificate, and in our demo example, create SSO tokens as a result of successful authentication (but you could do all sorts of interesting stuff - building access, car park spaces, online authentication...). There is also a whole bunch of federated stuff in here too...

Finally, we need to wrap an auditing function around all this, so we can provide and end to end view of the lifecycle of identies through the system.

It looks like this.

What you have in essence, is a pre-built, pre-integrated and pre-tested PKI authentication mechanism that manages sign-up, user provisioning, access and card management, using open standards and federation as guiding principles.

Can you think of anyone who might need one of these? ;-)

We've been partnering with a few companies to provide this solution as you can see. It's worth pointing out at this stage some top techie dudes here as well: Patrick (Objectsoft), Pascal(ActivCard - now ActivIdentity) and Marc (Isosec) who are the brains behind much of this. There is also the extended sales team (Brian, Les, Nigel, Giovanni, Robert and the other Les ;-) and our marketing lady, Suzie , who has been instrumental in bring all the stuff together for shows and events. (She still can't spell 'compatible' right though ;-)

The website is a bit sparse at the moment, you know how it is when you're playing with technology, documentation is so... tomorrow. One other thing though, I designed the entire logo myself using a copy of paintbrush on my laptop and used the official sun colours... it got all the way through marketing without being altered. How cool is that? LOL!

( Dec 01 2005, 10:29:14 AM GMT / Dec 01 2005, 10:06:23 AM GMT ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/entire_id_launching_today

Tuesday November 22, 2005

Conference Season!

I'll be offline for a few days, unless the miracle of wireless technology is available, due to being at the Ministerial E-Government Conference in Manchester for the second half of this week. This is quite a big shindig for all the ministers, CIOs and CEOs in the public sector and we have a pretty big investment of time, blood, sweat and tears to get some of our stuff front and centre.

Hellmuth Broda is speaking, hosted by ( and with, I assume, appropriate pomp and circumstance) Robin. If wireless is about look for blog entries from the event from Robin and I. I'll be there alongside some of our other Identity folks doing some stand duty for a proposition that we have come up with called 'EntireID'.

There is a website just about to be launched for this at uk.sun.com/entireid, but it's not live yet, due Wednesday, and I'll talk a little about what this is then. Quite relevant for Identity in general, and specifically geared for the National ID Card programme. Stay tuned. Come and see us if you are there. I promise not to talk about trains ;-)

( Dec 01 2005, 11:54:07 AM GMT / Nov 22 2005, 11:47:29 AM GMT ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/conference_season

Wednesday November 16, 2005

ID Cards again

Robin had an interesting experience at the House of Lords. It's well worth a read. I've added some comments to the bottom of his blog.

BTW, the business about Andy Burnham saying the cost of the cards would have to be partly shared by various departments is confirmed here.

( Nov 16 2005, 09:34:01 AM GMT / Nov 16 2005, 09:29:33 AM GMT ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/id_cards_again

Tuesday November 08, 2005

Last bit on Digital Certificates and PKI for the time being...

Yes, I've been on this one for a while I know, I get to talk about something much more interesting in my next entry...

...apologies for the outage, I've been on holiday for a couple of weeks, so just getting back into the swing.

It occurs to me that perhaps the government won't include a digital certificate on the card when it's issued, but they might allow it to store digital certs for the benefit of citizens if they want them. You might be able to buy a cert, making your ID card much more useful for CNP (Card not present) transactions and online stuff. Might make sense, though I think it might not help the 'digital divide'.

On the other hand, if the government does bite off the whole PKI thing, with that kind of access to public keys floating around the network, how long will a digital certificate last? With current compute power accessible (and stuff like seti@home) showing that PCs can be linked to work on distributed computational problems, I suspect a digital certificate might start getting a bit flaky at around 3-5 years.

Meaning re-issuance and more cost.

( Nov 08 2005, 01:37:06 PM GMT / Nov 08 2005, 01:37:06 PM GMT ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/last_bit_on_digital_certificates

Wednesday October 19, 2005

A little bit more on Digital Certs...

Just a quick update as I'm off on holiday soon and a tonne of work still to do...

I'm definitely in the wrong part of the Identity Profession, by the way. Robin Wilton, my corporate counterpart, got to spend a sojourn in Singapore of all places, whereas I got back ache during stand duty at SOCITM in Brighton. Yes, it was grey and yes it was raining. Do I feel sorry for him cooped up in an economy class seat? ... only a bit. ;-)

Anyway, following on from my last entry.

The ID Card survived its third reading yesterday. Quite a large amount of opposition on the back benches there. On to the rigourous scrutiny of the House of Lords. ;-)

It also appears that this National ID Card and/or Digital Certificate stuff is still all over the place. I heard today that Mr. Clarke fully intends the card to be capable of carrying a certificate - I'll try to get a link for that one soon. Does that mean we're going to have to pay extra for our own Certificates on top of the basic card? That won't help the digital divide. The rich will be able to afford extra security online, the poor won't. Who knows, but it will be interesting to see what happens next.

Oh, and there was this bit of encouraging news for ministers on how much better multiple biometrics are as opposed to just one.... not!

( Oct 19 2005, 05:02:00 PM BST / Oct 19 2005, 04:42:37 PM BST ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/a_little_bit_more_on

Thursday October 13, 2005

Interlude on Digital Signatures

Geraint's comment on my previous post was rather revealing (thanks for that Geraint). I wasn't aware that the government had specifically ruled out digital certificates for inclusion on the ID card. Hands up, red face. Doh! :-(

This is apparently to reduce the projected cost of the cards... How much does a digital cert cost? About £25 today. If we're going to have to have ID cards, I'd rather pay the extra thanks.

Apparently, other than biometrics, the only other two factor identification component being suggested is the good old PIN number, making the ID Card about as secure as a credit card for online transactions. Not much of a step forward. I am assuming that the Government doesn't intend to issue all 60 million of us with a personal biometric scanner ;-)

Ok, the government has said that the card wasn't designed for e-commerce (real opportunity missed for reduction in fraud, spamming, phishing etc), but it leaves another big problem. With no digital credential aboard, duplicating a card is going to be, if not easy, not nearly so difficult. It's not easy to guarantee uniqueness without a PKI.

Having thought about it for a while, I can't see a way around it. If you're going to create a system like this you might as well do it properly. I think the government will do a u-turn on this once the detail comes out after the public consultation is over. (What Sir Humphrey called the 'Janet and John Bit' ;-) Kind of interesting that the government has been looking at ways to make PKI affordable, yet hasn't tied this up with the ID Card. Atleast not yet.

Aren't government departments supposed to talk to each other? ;-)

( Oct 19 2005, 05:05:17 PM BST / Oct 13 2005, 05:05:20 PM BST ) Permalink Comments [2]
Trackback: http://blogs.sun.com/Drew/entry/interlude_on_digital_signatures

The Swizz of the Cards...

Another piece of excellent eclectech animation for you on the subject of ID Cards...

The 'Swizz of the Cards' - No, you're not in Kansas anymore... Lots of fun. ;-)

There are a few of serious points in this that do bear examining though.

The author of this little ditty calls into question how well the registration process for the card will work (ably illustrated by straw man handing over a fistful of readies). He/She/They are correct in pointing out that registration is the point at which fraud is most likely, a problem we're working on right now... sorry can't give out the details at this stage, but you'll like it.

Secondly, there is a glaring mistake on the use of the ID Card to verify somebody elses transaction. In the animation the card is stolen and inserted into a 'PC' to verify a fraudulent transaction. Because it is a valid ID card the transaction goes through.

The author has missed the point that the card needs to be valid and somehow authenticated with the individual using it before it's accepted (two factor authentication). Just pinching somebodies ID card won't work, atleast, not digitally. (Might do as photo ID though). A bit of scare mongering going on there m'thinks.

How is this authentication done? Well biometrics is one answer (and yes, we all know about those problems), but there are other answers too. We're also working on how you might be able to 'switch off'/invalidate a card without the card being physically anywhere near a 'terminal'... can't tell you about that either, but you'll like it. ;-)

The point that you don't need to have multiple identities to commit fraud is a good one though. Most benefit fraud is due to false claim reporting, not multiple identities.

Still, a good piece of animation, looking forward to more!

( Oct 13 2005, 02:22:23 PM BST / Oct 13 2005, 01:37:32 PM BST ) Permalink Comments [1]
Trackback: http://blogs.sun.com/Drew/entry/the_swizz_of_the_cards

ID Cards and the NIR Part 3 - Some thoughts on scale

Scale matters.

Now we get to muck about with some figures. Back of a envelope figures admittedly, but it does allow us to analyse this a little.

There are approximately 60 million people in the UK, and about 3/4 of these are entitled to an Identity Card. So let's say 45 million.

The Government wants to store 51 pieces of personal information on us. This, to me, looks like about 10k's worth of textual data, not counting how much it takes to store biometrics, images and so on. Biometric data seems to vary from hardly anything to 1000's of bytes so lets say another 10k for that. How big is a decent quality jpeg of yours truely? Well I reckon you could get away about 30-50k. Plus we need to add say 20% for encryption wrapping etc. So lets, for sake of easy calculation, say a given user profile starts at 100k per individual. Doesn't sound too bad.

So how much data storage are we talking about? 45,000,000 times 100k = 4,500,000,000k or 4,500,000megs or 4,500Gigabytes. Sounds a lot but it's only 4.5 terabytes and that wont cause much of a problem for a decent storage provider. That will probably fit on my PC in a couple of years time!

What about network bandwidth? This begs the question, how often are you going to use your ID Card? Lets start off working from where we are today. How often do you need to prove your identity to a high level of certainty? Open a bank account? Apply for a credit card? Maybe 3-4 times a year, probably less.

Ok, lets assume the whole card population uses their card 4 times a year. That is 180,000,000 card accesses per year, which is 493,150 per day, which is 20,547 per hour, which is 342 per minute, which is 5.7 per second. A fair old whack, but nothing that will scare the worlds greatest directory product (which, btw, has been benchmarked easily over 10,000 reads per second in a multi server environment, and even a single cpu server can support 1,000 reads per second.)

Yes, the network topography will be interesting, but that atleast is do-able.

How much traffic would be transferred for each access? Tricky, but at the worst case, assuming we transfer the whole 100k profile for each interaction and we need another 100k for protocol and security, that gives us 36 terabytes per year, 100 gigabytes per day, 4 gigabytes per hour, 1 gigabyte a minute and 17 megabytes per second. That's a nice collection of T1 pipes, no big deal.

So, we're home and dry then? Well, not quite. There are two other things we need to consider. The audit trail and the increase in usage of this system.

Lets take a look at the audit. Everytime you use the card the government wants to know. So your profile is going to get bigger. How big is an audit event? Could be anything from bytes to kbytes. If it is kbytes that storage is going to grow by perhaps a 100% per year, maybe even 300-400%. So we could guesstimate storage requirements at 18 terabytes per year, at the 4 uses per citizen per year rate. No worries, might need a couple of extra Sun boxes, and I haven't mentioned backup and fail over and redundancy obviously.

What about the increase in usage of the card over time? Well, lets say we start tieing the card to bank transactions, tube travel, bus and train tickets, congestion charging and toll booths. How often would you be using your card then? I reckon up to 10 times per day might be about on the money, perhaps even higher. What does that look like now?

Well, rather than 4 times a year the citizen is now using the card 3650 times a year. I won't bore you with more long maths, and assuming we're still auditing everything but based on the estimates above we now need...

Reads = 5200 per second
Network Bandwidth = 15 Gigabytes per second (You'd need 2,666 T3 lines working flat out)
1 Years Audit = 1642.5 Terabytes (assuming an audit event is 10kbytes)

What makes these figures scary? The combination of an audit and the scale. Can't help thinking that this audit is going to be a little on the expensive side.

Hmmm. Just as well we bought StorageTek. Time to buy some shares in Cisco too! ;-)

( Oct 13 2005, 12:31:46 PM BST / Oct 13 2005, 11:13:03 AM BST ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/id_cards_and_the_nir2

Tuesday October 11, 2005

Sxip Identity 2.0 Preso

Far be it from me to promote another company here in my blog ;-), but Sxip Identity's Dick Hardt has made a fantastic preso which bears distribution as a standalone 'Where next for Identity'.

Essential viewing, and fun.

My favourite line is "And usernames and passwords are really cool! They prove you are....

...an entry in a directory!" Class. :-)

Click here.

( Oct 12 2005, 12:33:37 PM BST / Oct 11 2005, 05:37:44 PM BST ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/sxip_identity_2_0_preso

ID Cards and the NIR Part 2 - Basic Architectures

Basic Architectures.

Assuming for the time being that we have an ID Card and a Register, what architectures might we consider? Let's take the card itself first. Consider what would need to happen to Identify somebody holding a card. There are four basic alternatives...

1. The card is very simple, containing very little information other than a unique number which acts as a key on the register. All the biometric, data, and personal information would be held on the register.

Pros : Cards very cheap, need not be 'smart'. 'Easy' to perform the audit.
Cons : Everything depends on the network, including the validation of the card and identity check.

2. The card is very complex, containing most or all of the information required, and can provide a local validation capability without resorting to the register. No connection to the register other than at registration time.

Pros : No need for continuous network, cost of running the register much lower
Cons : No audit capability, no fall back if card verification fails

3. The card contains the validation and identity checking capability, but not the personal information. Personal information is held on the register.

Pros : Offline validation and identity checking, some auditing capability for access to data
Cons : Incomplete auditing (can't audit card validation)

4. The card contains all the information. It is a copy of a citizens profile on the register.

Pros : Full Audit, Fall back in case of network failure
Cons : Expensive cards, synchronisation issues between card data and register

Now lets look at the Register. How could that work? Once again there are four basic alternatives.

1. The register is a single large store containing all the required information in one place.

Pros : Simple to administer, easy auditing, conceptually simple
Cons : Severe security issues, severe reliability issues, no privacy controls

2. The register is a distributed database similiar to above, yet with many 'copies' of the register information held in different locations.

Pros : As above, though slightly less so. Better reliability than above
Cons : Same security isses (possibly worse with multiple targets), no privacy controls, data synchronisation problems

3. The register is a distributed database where different distributions hold separate sections of the data profile (Eg. address in one system, entitlements in another) linked by a master index pointing to the sections.

Pros : More secure (multiple attacks required to assemble a complete profile), some privacy controls could be provided
Cons : Tricky to audit (though not impossible), overall system at the mercy of multiple network links

4. The register is a federation of interconnected autonomous stores Pros : Privacy enabled by design, High degree of security as individual stores would be autonomous, decentralised identity checking (no single point of attack)
Cons : No comprehensive audit possible as the stores are not directly connected, though individual stores will be auditable by their owners.

Federation is a bit of a tricky concept and so I'll explain that in a future article. Now I've introduced the basics, the next article will explain why some of these architectures will have to fall by the wayside when we start to consider the scale of the NIR and ID Card system...

( Oct 11 2005, 03:44:39 PM BST / Oct 11 2005, 01:35:55 PM BST ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/id_cards_and_the_nir1

Monday October 10, 2005

ID Cards and the NIR Part 1 - Introduction

This is a big subject, but it won't come as much of a surprise that Sun has an interest in the ID(Identity) Card and the NIR(National Identity Register) from a technology solutions provider perspective, our expertise in both of these subject areas speaks for itself.

Whilst the greater part of this project will be in the process, training, distribution and production of the Cards, and the operation of the NIR itself, the technology to be employed bears examination, as many issues involved are not immediately straightforward or apparent. Also the technology employed will have a sizable effect on politics, privacy, citizen adoption and security. Where this effects exist, I will point them out.

Thus, I intend to write a series of articles examining the technology based on information in the public domain about the requirements of the ID Card and NIR System, in light of the fact the real requirements don't as yet exist! (Ref6)

-=-=-=-=-=-=-=-=-=-=-=-=-=-

Introduction

Lets examine the Bill(Ref1) itself as a starting point.

There appear to be 4 key areas.

1. An enrollment service, enabling the government to enrole citizens to a high degree of assurance. This includes biometric information; Iris recognition and fingerprints appear to be in vogue at the moment. Enrollment will be in person, i.e. face to face. This is likely to be the most common point of fraud or compromise based on evidence from other ID Card schemes.

2. The construction of a National Identity Register (NIR) which will be a "new, highly secure database holding basic personal information"(Ref1). As No2ID(Ref4) points out, that's "51 pieces of basic personal information" ;-), some of which is current, some historical. Entry to this NIR is subject to the enrolement above. Interesting that the word database is used by everyone involved, it's unlikely to be a 'database' in practice. ;-)

3. A Card, which contains none, some or all of the information on the NIR. The quantity of the data on the card will trade off with the cost of the card. It could range from a simple unique code, all the way to 4megs+ of data on the citizen, including photos and biometrics.

4. A verification service which allows a citizen to connect their card with the NIR. This verification will occur at a number of levels, right from 'Card is Valid' right up to 'Holder is entitled to this service'. This section has major implications for the architecture of the system, we will see this later on.

Alongside this are three other major themes regarding the card and its operation.

1. It's an Identity Card. Well Doh! Importantly, it includes a biometric check capability. The government points out that biometrics are absolutely unique (Ref3), which is true; However it fails to mention that biometric checking does not enjoy quite the same level of confidence. The LSE report(ref2) makes much mention of this. With 30-60 million people registered, even a checking accuracy of 99.9% isn't that great.

2. It's an Entitlement Card. It was infact called an entitlement card up until 2003, but this has been replaced with 'Identity Card' due to pressure from the House of Lords. There has always been a tacit implication that to verify entitlement you must have established identity. Nobody, atleast in print, seems to have realised this is not the case. Buying a train ticket entitles you to travel, yet contains no information about your identity. Likewise, access to the NHS does not actually require you to be identified, merely entitled. A simple point, but drastically important from a privacy perspective. The entitlement and identity information could still be present on the one card, but it doesn't have to be accessed together or associated with each other.

3. It generates an audit trail.

This is an interesting area. Whilst the audit is not written into the bill per se, it is inferred by the inclusion of historical data being stored on the Card/NIR, implying updates to the NIR and/or card. (Eg. Previous addresses, any use of the Card for application, modification or confirmation). The Government appears to require an audit trail of card usage. What they will do with this is a matter of extreme speculation, all the way from nothing at all, to the complete orwellian state.

All of these themes affect the types of architecture that might be presented. In my next article I will analyse these.

Links and references

1. The Bill itself...
http://www.publications.parliament.uk/pa/cm200506/cmbills/049/06049.i-ii.html

2. The LSE Report which caused a ruckus in the press over the price of the 'Card'...
http://www.lse.ac.uk/collections/pressAndInformationOffice/newsAndEvents/archives/2005/IDCard_FinalReport.htm

3. Why you should have an ID Card, courtesy of the Home Office
http://www.homeoffice.gov.uk/passports-and-immigration/id-cards/why-we-need-id-cards/
A bit disappointing really. No detail on 'how' some of the assertions they make will be realised. Also interesting that they file this under 'Passport and Immigration' on their website.

4. Why you shouldn't have an ID Card, courtesy of No2ID
http://www.no2id.com/IDSchemes/whyNot.php
A vocal and well organised group who are "opposed to the government's planned ID card and National Identity Register." Does include some robust arguments worthy of attention and their 'interviews' with various ministers are most amusing.

5. Identity Press Coverage, courtesy of The Register.
http://www.theregister.co.uk/security/identity/
Needs little introduction from me. Well informed journos, now there's a thing!

6. "The very model of a modern labour minister" - A bit of fun, particularly if you like Gilbert and Sullivan; Like me.
http://eclectech.co.uk/clarkeidcards.php

( Oct 10 2005, 04:59:31 PM BST / Oct 10 2005, 03:37:25 PM BST ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/id_cards_and_the_nir

Monday February 07, 2005

When is Sarbanes Oxley not Sarbanes Oxley?

Answer: When it's in the UK.

A point of clarification first. As those of you who live in the land of the free doubtless already know, Sarbanes Oxley is a piece of legislation designed to provide a framework against the kind of 'imaginative' accounting used during the Enron scandal and similar events. It's a tough piece of legislation, difficult to implement and with the added benefit that if you make a mess of it, your CxOs will end up in jail.

Now, 'Sarbox' (as it is affectionately known, although it sounds more like a highly lethal virus...) also applies to any company with a representation on the American stock exchange, or a big number of US stock holders; thus big companies in the good old UK of GB will have to comply too, at a big cost. Already there have been grumblings in Europe, though that could be down to the sausages.

More interesting for us UK chaps, is the upcoming 'UK Companies Act', which bears more than a striking resemblance to the Sarbanes Oxley legislation. The big difference is this though. If you muck up Sarbox in the US you will end up in jail, your career in tatters and your company facing big fines. If you muck up the UK Companies ACT you might, well, almost certainly, get a visit from the chaps upstairs and a sharp ticking off.

How much the UK will spend up spending on legislative compliance remains to be seen. Afterall, you're not going to spend a whole bunch of money on a system to help you achieve legislative compliance when the only risk you're running is being summoned to an informal drinkie with the boss...

( Feb 07 2005, 04:48:59 PM GMT / Feb 07 2005, 04:26:36 PM GMT ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/when_is_sarbanes_oxley_not

Tuesday January 04, 2005

You don't need your Passport anymore!

Well I don't think many of us were that surprised by the news that Microsoft has retired its Passport partner program following the recent news that EBay has decided to go its own route on sign on to its services.

I think any organisation would rather keep control of its own user population and be directly responsible for their authentication and security in some fashion, rather than giving control away to a 'gatekeeper' of some sort, regardless of who it might be.

A notable moment for the Liberty Alliance though, and a ratification that open standards once again prove to be the best way forward for all. IBM has joined Liberty recenty, will we shortly see Redmond signing paper too? Lets hope so, they could add quite a bit of expertise!

( Jan 04 2005, 12:24:36 PM GMT / Jan 04 2005, 12:19:58 PM GMT ) Permalink Comments [0]
Trackback: http://blogs.sun.com/Drew/entry/you_don_t_need_your

Yep, me.

moon phases

- Get my RSS Feed!

people stopped by, thanks everyone!

My Blog Entries...

Today's Page Hits: 50