Following up on the Ooops and the Dead Cert points below, it’s worth thinking perhaps about two points in regard to digital certificates:
1) Is the policy wrong? We have different levels of authentication required for different transactions, laid out in a comprehensive policy. The policy also gave the ball to commercial enterprises to stimulate the market for certificates, rather than taking the (perhaps easier) route of central issuance. Differing levels is probably right. Government issuance is probably wrong, although time will tell. There are other countries (notably New Zealand Australia) who have tried it – NZ abandoned the project and, last time I checked about 8 months ago, Aus had issued a few thousand certs (to businesses only, on a base of over 1 million businesses). Viacode is gone, a victim of the Post Office’s need to bring costs under control. Others are coming into the market though – Equifax last year, BT any day now.
2) Is the technology wrong? Digital certificates in the browser makes sense. The whole point of plug-ins (I thought) was that they were largely transparent to the user. I have flash installed in mine and whever a website with flash in it comes up, it’s all taken care of. Maybe certificates are more complicated, but maybe there’s more thought needed from the vendor community about how to make them easy? After all, since we put the Gateway live we’ve iterated through 2 or maybe even 3 versions of the main browsers – but no changes to the way certificates operate.
Just some more thoughts.