Customs and Excise Electronic Returns

Ben Laurie ben at
Wed Sep 29 08:05:52 EDT 2004

Background, for non-Brits: Customs & Excise (C&E) is the government 
department responsible for collecting VAT (Value Added Tax), which is a 
European sales tax. Businesses report their VAT transactions quarterly 
to C&E, currently mostly on paper (a one page form, amazingly) - this is 
known as a VAT return.

For some time, C&E has been encouraging electronic VAT returns 
(cunningly named eVAT), but until recently required the use of an X509 
client certificate to submit.

Presumably this has proved unpopular, since they are now permitting good 
old username/password to be used. But they seem to be a little confused...

 From the eVAT FAQ 

"Which is more secure – using a Digital Certificate or User ID & Password?

Both methods are secure, but they work in different ways."

 From the Government Gateway Help pages 

"Certificates provide a higher level of security, which is required for 
certain services."

Nothing like singing from the same songsheet, eh?

Anyway, it gets better. Three types of certificate are permitted, 
SecureMark, SimplySign or Trust Services. Again from the eVAT FAQ:

"   * SecureMark and Chamber SimplySign certificates can be used with 
either Internet Explorer 5.01 or higher, or Netscape Navigator.
     * Trust Services’ certificates work with Microsoft Internet 
Explorer 5.0 or later and Netscape v 4.6 or higher (but not v6 or 7).
     * certificates can be used with Internet Explorer 5.01 or higher or 
Netscape Navigator 4.08 or later (but not v6 or 7). "

I dunno about you, but this is not exactly clear to me. Leaving that 
aside, let's look at the various CAs...

SecureMark,  on a page amusingly titled "Does your Netscape Browser meet 
the minimum requirements?" 

"the minimum system requirements are:

Windows 95 or NT 4 (SP3) or higher
Internet Explorer version 5.01 or above
128-bit cipher strength"

I guess the answe will be "no", then! (My browser was Firefox, 

SimplySign - seems they actually admit that "Netscape" might work. But...

"To make sure that your browser works with Trustis certificates the 
'Trustis FPS Root CA' certificate should be installed. There is no 
danger in doing this and no programs will be downloaded to your computer."

No, of course, installing root CAs in your browser has no security 
implications whatever. And of course, you have to have the root CA to 
use a client cert. Not.

As for Trust Services. Well, I can't find them through Google (at least, 
not the one they had in mind) but much meandering around FAQs eventually 
yielded a link - turns out its BT and Verisign, but ... oops! "Note: 
Inland Revenue services have not yet been upgraded to allow the use of 
BT ID Certificates". So much for a simpler user experience.

Oh yeah, another gem from the eVAT FAQ:

"The Government Gateway and Digital Certificate authorities do not 
currently support the use of Digital Certificates on Apple Macintosh"

Well, of course not, because everyone knows that Apple X.509 is 
completely different from Microsoft X.509. Duh.

So, after all that, I totally understand why everyone thinks PKI is 
hard. I'm all for the username/password thing. Its free, too.



ApacheCon! 13-17 November!

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list