The industry is keen on open standards when it comes to authentication technology for accessing government services online.
A large number of the respondents to a request for information put out by the government cited either SAML (security assertion markup language), an XML-based security standard for exchanging authentication, attribute and authorisation information, or XML itself, as a ready-made base for the authentication technology.
A number also cited the Liberty Alliance’s specification, an identification framework defined by a broad-ranging consortium of software developers, communications companies and users such as banks and credit companies. The alliance was formed to develop an open standard alternative to Microsoft’s Passport authentication scheme.
Other potential suppliers advanced suggestions based on public-key cryptography.
The open standards/open source proponents noted that specific components and application programming interfaces (APIs) should not need to be specified if standards are complied with. Additional components that comply with the standards can be developed by individual agencies that require them.
Most respondents approved of the separation of access key and “identity credential”, an idea that formed a central point of the e-government unit’s preliminary specification. This allows a user to have several keys for different applications with varying levels of security but all referring to a single identity record.
The RFI replies brought no consensus on the merits of a centralised authentication facility as against a distributed architecture with a number of separate facilities, perhaps one at each agency.
Public submissions last year came in heavily in favour of a single centralised agency, but proponents of the distributed idea point out that centralisation may present a single point of failure and compromising of the database would have wide effect. Distributed systems are also inherently more efficient, they claim, and would lessen the work that the State Services Commission would have to do centrally.
The centralisation champions point to the “operational management problems” of maintaining consistent information on a number of sites. It would be easier to tune for performance and maintain control over service levels, they say.
As for the actual key mechanism, most respondents see a simple identifier and password as adequate for all but the most sensitive applications, while others prefer “two-factor” identification, for example a password and a physical identifying token such as a card.