The Government Gateway has been designed to follow standards and allow people to use the computer system and browser of their choice. There is nothing proprietary in the design but given the need for people to be confident that they can trust their electronic communications with government, there are some stringent security requirements.
To register with the Government Gateway and enrol for specific services requires the HTTPS protocol with 128-bit (or better) encryption. This guarantees the confidentiality of the process and enables the client to verify that they are communicating with the Government Gateway. But, it provides no authentication of the client to the Gateway.
Clients can be authenticated to the Gateway in one of two ways:
- Using a password of the user’s choosing (a user ID will then be sent in the post to an address already registered with government);
- Presenting a digital certificate.
The second method is preferred (and required for some transactions) but it is dependent on the client having commercially available PKI software already installed and the user obtaining an X.509 certificate. Currently, the Gateway has an agreement with Equifax to provide digital certificates. We have been advised that ChamberSign certificates (developed by Viacode) are no longer available for purchase. Any ChamberSign certificates (developed by Viacode) that have already been purchased are still valid and can be used on the Government Gateway until their expiry date. Please contact the British Chamber of Commerce for more information by visiting the ChamberSign website. The existing ChamberSign and Equifax software equates to tScheme level 2.
The commercial package will typically generate the private-public key pair locally on the user’s PC and then export the public key to the chosen certificate provider for incorporation in the user’s certificate. However, possession of a digital certificate does not authenticate a user. The user needs to establish rights to a service and subsequently provide a signature to demonstrate that they are still in possession of the correct private key.
The technique currently used by the Gateway to authenticate the client is to request that an XML object be signed.
The first challenge is, although standards are followed in that Java applets are signed with X.509 certificates, the mechanism used to package and sign the applets is proprietary. For example, Microsoft use a cab file and sign it using MS Authenticode whereas Netscape use a jar file and sign it with NS Object signing technology. Consequently, separately packaged applets have to be created for each browser and each package has to be signed with a separate certificate.
The second challenge is the availability of packages to manage certificates on platforms other than Microsoft Windows. Such packages also need to support APIs that can be accessed by Java applets.
Broadly, the consequences of the above are that:
- IE 4.01 and above work under Windows (95, NT4 or above) with ChamberSign certificates;
- IE 5.01 and above work under Windows (95, NT4 or above) with Equifax certificates;
- Netscape 4.08 and above (but excluding Netscape 6 and 7) work under Windows (95, NT4 or above) with ChamberSign certificates.
The issue is not about being vendor neutral; rather it is a problem with the way standards are implemented by vendors and a lack of offerings to manage digital certificates.
Other browsers (running under Windows, Unix or Linux) can provide the required SSL connectivity but the ability to manage certificates on open source platforms needs investigating. The Office of the e-Envoy will be funding some activity by the open source community to address this issue.
The security model described above meets the design objectives and if alternatives are proposed they will also be considered.
The Government Gateway supports the following browser and platform combinations:
- PC or Macintosh;
- A working internet connection.
Software - PC users
- Operating system:
Microsoft Windows 95 and above;
Windows NT 4 and above;
Linux (Redhat - both Gnome and KDE) v7.1.
- Internet browser:
Microsoft Internet Explorer (v4.01 or later) – Windows;
Mozilla (v0.9.1) – Linux. Please note that the browser often identifies the site as insecure. The problem is with Mozilla’s padlock function and does not reflect the status of security on the Gateway;
Netscape Navigator (v4.08 or later) - Windows or Linux;
Opera (v5) - Linux.
Please note: If a user wishes to enrol for services that require a digital certificate, they may not be able to use the full range of browsers listed above. For example, Equifax certificates can currently only be used with Internet Explorer 5.01 or later (they do not work on any version of the Netscape browser); ChamberSign certificates, issued to date, can be used with both Netscape Navigator and Internet Explorer, except they are not currently supported on version 6 of the Netscape browser. Please check the certificate provider's website for more information about which browsers they support.
Software - Apple Macintosh users
- Operating system:
Mac OS (v7.5 or later).
- Internet browser:
Microsoft Internet Explorer (v5.0 or later);
Netscape Navigator (v4.08 or later).
Please note: Although you can access the Government Gateway website with these browsers, ChamberSign and Equifax digital certificates are not supported on the Macintosh. Macintosh users can currently only register for government services that require a user ID and password, not services that require a digital certificate (such as the Electronic VAT Return or IACS Area Aid Application).
Other operating systems and browsers will be tested as soon as possible; to meet the highest demand, the most popular ones have been tested first.
Looking at a week of ukonline.gov.uk statistics shows a clear breakdown of operating systems and browser types and versions.
The most popular browsers are Internet Explorer 5 and Netscape 4. The most popular OSs are Windows 98 and Windows NT, followed closely by Windows 95.
Figures are shown as a percentage of total hits (objects retrieved), of which there were 2.5 million in a one week period during Autumn 2001.