Jiri’s Notepad

Phillip Windley blogs on single sign-on for his e-Government applications. Interestingly I dipped my toes into somethinq similar here in the UK and it is interesting to see the differences.

1. Phillip mentions the need to support Screenname and Passport alongside his own internal authentication. Passport is not terribly popular on this side of the ocean, which in e-government applications may have something to do with the fact that it has been investigated  for potential data protection bugs by European Comission. AOL is not as big here as in the US and on top of that it has not signed for Safe Harbor and therefore -  no Screenname supported.

2. Instead of using outside authentication services with dubious security, the Govt has pioneered a thing called Government Gateway, which, amongst other services, provides single sign on for all e-government applications. Gateway is quite innovative and unique service. US administration is considering the development of such a service (I can’t find the link from the last week) whole two years after it was launched here.

Gateway developers and the secrity authority has gone great lengths to provide appropriate security (username/password or certificate/password can be used). However, after two years of experimentation it has turned out that usability and adoption are bigger problem than security. What a secure service is good for when nobody uses it? So instead of security, government departments, that have target numbers of users to attract before 2005, are pondering over ways to make e-government applications easier to use and provide them through non-traditional channels such as banks, accounting software packages, commercial portals etc. And into this world Passport fits much better. So it is quite possible that after MS corrects data protection issues and connects it to VISA payment authorisation network, citizens of both countries will meet at MSFT’s doorstep.

3. The distiction between authentication and authorisation seems to be clear on both sides of the pond. You can use extrenal authentictation service, but with the current state of technology authorisation details need to be hold in-house. Funny thing that it requires virtually the same infrastructure (i.e. directory) as authentication and so you don’t save anything using external service. What’s more, external authentication requires substantial integration effort with the only small outcome - single sign-on.