WELLINGTON (11/13/2003) - The New Zealand e-government unit is looking for technology and relationships with suppliers for its all-of-government authentication solution, even though Cabinet has not yet approved its implementation.
Work on centralized authentication has so far concentrated on policy and process questions, says the unit's acting head, Bethia Gibson. "Now it is time to start looking at technology and to factor in the next level of detail."
The government approved the design phase of a centralized authentication mechanism that will hold minimal information about users, following a marked preference for this model from those consulted.
However, the definition of "whole of government" authentication is still flexible, says the e-government unit. It may mean a single central authentication infrastructure or "standards that agencies will use to implement authentication solutions as needed", says Gibson.
Asked about the apparent move away from the expressed preference of the sampled prospective users, she acknowledges their preference for a centralized solution and says this influenced the design. The final decision on whether to implement a fully centralized or distributed approach to authentication is for Cabinet to make, she notes.
The e-government unit's request for information (RFI) says a centralized infrastructure represents a potential single point of failure and an additional step in the process of obtaining services, suggesting that an authentication capability at each agency would not present these problems. On the other hand, a centralized infrastructure allows for one-time implementation and cuts agencies' compliance costs.
The RFI identifies four levels of authentication:
-- anonymous, where no identification is required; for example, browsing information about a government service;
-- pseudonymous, where the user does not provide a key that can be attached to their real identity, but a name to allow the system to recognize the same person on a subsequent occasion
--identified, where the user's identity is verified as a prelude to an entitlement to use certain services, such as Internet banking;
-- verified, for applications requiring "strong" authentication, for example, accessing an individual's medical records.
A user may have several authentication keys for different purposes and at different levels, but all have to refer to a single "ID Credential". The RFI suggests each credential should include name, gender, and date and place of birth. To protect privacy, the government has mandated that an agency providing a service cannot obtain an ID credential directly from the "authentication agency", but must ask the user to release it to them. The user must also be able to authenticate the agency to ensure, for example, that an independent party is not setting up a spoof Web site to collect client information.
The RFI, unusually, won't necessarily be the forerunner to a request for proposal and tender.
"The purpose of this RFI is to open a dialog with industry and other communities of interest, to ensure to the maximum extent possible that industry input and comments are given proper and due consideration in development of the authentication design."
The RFI is also expected to allow the SSC to complete indicative costings of the final authentication design. Potential providers are asked to comment on a wide range of factors, including protocol and browser weaknesses, and Internet risks such as denial-of-service attacks.
Information is requested on the feasibility of a future single sign-on to use several services in one session, and the potential of a government authentication infrastructure for use outside government "to ensure that we allow for future opportunities to scale the solution to meet the needs of all New Zealand", Gibson says.
Providers are asked to rate the government's authentication design against those overseas.