Peter,
I strongly concur with you on this. Here's a
couple of other thoughts.
During the .COM era I launched a concept called
BizID.com - where
you can do lots of personal identity things using
XML. The key
difference is one of accountability and
control. BizID as built
puts *you* in control. You determine who sees
your information,
when and how. Its a distributed model of
course - so you have
a local BizID service provider, and BizID supports
multiple
personae - since you need different use profiles
for your information,
even cross-board international is supported in the
BizID model.
Here in the USA corporations own your information -
not you. So
BizID is a radical departure - allowing you to
maintain complete
control over your information - all the corporation
gets is your
BizID. This model fits much better with
the EU model of
privacy.
Now it seems that the whole notion of BizID is
getting revived
again - around our current work with the EPR
project (see the
OASIS BCM/EPR on Kavi, and this
overview:
The particular focus is one of "digital bags" - and
particularly
in the context of eHealthcare.
Dan Pattyn presented an excellent set of PPT slides
on this
at the forum in New Orleans - see
here:
If someone is interested in hosting the BizID
server and doing
some pilot project with this - we have the software
developed
and we can certainly knock the dust off it and
re-deploy it.
Thanks, DW
----- Original Message -----
Sent: Wednesday, May 05, 2004 1:48
AM
Subject: RE: [egov] HUNGARIAN
INITIATIVE
My first reaction, was: is this a product pitch?;
closely followed by my second reaction: is this timed deliberately to coincide
with Google's IPO?
The concept and infrastructure "seem" (qualified
because some phrases are not entirely clear in this English translation) quite
attractive, certainly in terms of replying to defined needs: an authenticated
online citizen identity. However, there are a few things that trouble me (as
well as the commercial questions):
- like Anders, I am concerned about the authority of
the "guardian" of personal information spaces. But I would go further: there
is a big question of responsibility and liability. Bluntly stated, I can sue
an ISP if it lost my data, allowed unauthorised access, or allowed my
identity to be stolen, provided I set the contract up adequately. A
citizen cannot however sue a government or hold it liable [1]. This is a
commercial ISP acting under the authority of a public administration, and
would presumably have very limited liability in cases of ID theft. That makes
me worried;
- the system architecture diagram refers to
"Internet/Anynet", but there is no evidence of how the system might handle a
non-Internet transaction: for example - authenticating a user ID by
challenge/response via a mobile phone in order to authorise a transfer or
personal data between two systems ("this is 'me' authorising the transfer of
my annual tax return, from my personal space - where it is drafted and
stored - to the tax authority, while on the end of a phone line on
holiday"....it's more or less a use case that I've heard several
times in the last few days). Without meaning to be too negative: it sounds
very good, but I lack details on the specs being proposed. Or is it a
proprietary black box? In which case, why not just use other DRM
solutions?
- this does look like an over-centralised model,
ultimately doomed if at all based on proprietary specs. It would be far
healthier to see the Hungarian government, or any other, look at SAML (an
OASIS spec) together with the work being done on "network identity" by the
Liberty Alliance. Given the range of vendors and users (=govt agencies)
involved there, this would seem to be a better bet. It would certainly be
interesting to see their reaction: this Hungarian example *might* be exactly
the sort of proof of concept that they are looking for, in which case I'll eat
my words or caution;
- the Hungarian Government is proposing to offer this
service free as a basic citizenship right? Wow...but as the company owns the
patents, the phrase "proprietary lock-in" comes to mind. What guarantees do
the government have for continuity of service? DNS persistence (wil they, or
the company, administer the namespaces?)? How are the authentication
requirement levels determined, and by whom?
I think what I'm coming to, in answering John's
specific question, is: no, we shouldn't add it to the eGov project list,
except perhaps to flag and signpost existing OASIS and other open specs as
best practice; and caution buy-in to any black box
solution.
Peter
[1] I had a very interesting discussion today at
SUN in California with Simon Nicholson, former OASIS board member and ebXML
chair, and currently SUN's lead in the Liberty Alliance [2], during which we
discussed precisely these sorts of problems of "network
identity".
Colleagues
Please see the
attached project outline from a contact in Hungary. I would welcome
any observations you may have on this initiative and also views on whether
we should add it to our TC project list.
John
----- Forwarded by John Borras/e-Envoy/CabinetOffice on
03/05/2004 10:55 -----
"Kakuk Ilona"
<ilonakakuk@axelero.hu>
25/03/2004 12:25
|
To
| "John Borras"
<john.borras@e-envoy.gsi.gov.uk>
|
cc
| "Andrew Pinder"
<andrew.pinder@e-envoy.gsi.gov.uk>
|
Subject
| |
|
Dear Mr Andrew Pinder and Mr John
Borras!
We met you Mr Pinder, in Hungary
last week. I gave you a short description about our hungarian logical
egovernment model concept, we called it "Documents Works" based on the
"eSzéf" (Electronic safe) technology.
This model solve number of
questions of the todays probelms, models of egovernment public
services and create an egovernment service layer between the government and
citizens, business entities, providing private security for the
personal datas and transactions, and a hierarchical private
autenthication system, wich satisfy's even the strongest law-requirements in
EU states.
I hope, you could overview the
description.
We offer you to collaborate in this
project, and make a common EU project based on your results and on our
concept.
If you need further informations,
please feel free to contact me.
Furthermore, my company is the
project manager for project called here "KEIR", wich is a project for
standartisation of governmental records handling and management. Please give
me some information if you run similar projects or have results in that
field.
With thanks,
Ilona Mrs Ilona Kakuk general manager LogiSter Ltd +36-20-444 3980 ilonakakuk@axelero.hu
www.logister.hu
-
______________________________________________________________________ This
email has been scanned by the MessageLabs Email Security System. For more
information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________ This
email has been scanned by the MessageLabs Email Security System. For more
information please visit http://www.messagelabs.com/email
______________________________________________________________________
|