Customs and Excise Electronic Returns
Ben Laurie
ben at algroup.co.uk
Wed Sep 29 08:05:52 EDT 2004
Background, for non-Brits: Customs & Excise (C&E) is the government
department responsible for collecting VAT (Value Added Tax), which is a
European sales tax. Businesses report their VAT transactions quarterly
to C&E, currently mostly on paper (a one page form, amazingly) - this is
known as a VAT return.
For some time, C&E has been encouraging electronic VAT returns
(cunningly named eVAT), but until recently required the use of an X509
client certificate to submit.
Presumably this has proved unpopular, since they are now permitting good
old username/password to be used. But they seem to be a little confused...
From the eVAT FAQ
(http://new.hmce.gov.uk/channelsPortalWebApp/channelsPortalWebApp.portal?_nfpb=true&_pageLabel=pageOnlineServices_ShowContent&id=HMCE_PROD_008287&propertyType=document):
"Which is more secure – using a Digital Certificate or User ID & Password?
Both methods are secure, but they work in different ways."
From the Government Gateway Help pages
(http://www.gateway.gov.uk/help/help_template_non_secure.asp?content=%3A%2F%2Fwww.ukonline.gov.uk%2FGateway%2FGatewayArticle%2Ffs%2Fen%3FCONTENT_ID%3D4013333%26chk%3DBQAvk3&languageid=0):
"Certificates provide a higher level of security, which is required for
certain services."
Nothing like singing from the same songsheet, eh?
Anyway, it gets better. Three types of certificate are permitted,
SecureMark, SimplySign or Trust Services. Again from the eVAT FAQ:
" * SecureMark and Chamber SimplySign certificates can be used with
either Internet Explorer 5.01 or higher, or Netscape Navigator.
* Trust Services’ certificates work with Microsoft Internet
Explorer 5.0 or later and Netscape v 4.6 or higher (but not v6 or 7).
* certificates can be used with Internet Explorer 5.01 or higher or
Netscape Navigator 4.08 or later (but not v6 or 7). "
I dunno about you, but this is not exactly clear to me. Leaving that
aside, let's look at the various CAs...
SecureMark, on a page amusingly titled "Does your Netscape Browser meet
the minimum requirements?"
(http://www.equifaxsecure.co.uk/digitalcertificates/Netscape_Response.html):
"the minimum system requirements are:
Windows 95 or NT 4 (SP3) or higher
Internet Explorer version 5.01 or above
128-bit cipher strength"
I guess the answe will be "no", then! (My browser was Firefox,
incidentally).
SimplySign - seems they actually admit that "Netscape" might work. But...
http://www.simplysign.co.uk/support/ierootdownload.html
"To make sure that your browser works with Trustis certificates the
'Trustis FPS Root CA' certificate should be installed. There is no
danger in doing this and no programs will be downloaded to your computer."
No, of course, installing root CAs in your browser has no security
implications whatever. And of course, you have to have the root CA to
use a client cert. Not.
As for Trust Services. Well, I can't find them through Google (at least,
not the one they had in mind) but much meandering around FAQs eventually
yielded a link - turns out its BT and Verisign, but ... oops! "Note:
Inland Revenue services have not yet been upgraded to allow the use of
BT ID Certificates". So much for a simpler user experience.
Oh yeah, another gem from the eVAT FAQ:
"The Government Gateway and Digital Certificate authorities do not
currently support the use of Digital Certificates on Apple Macintosh"
Well, of course not, because everyone knows that Apple X.509 is
completely different from Microsoft X.509. Duh.
So, after all that, I totally understand why everyone thinks PKI is
hard. I'm all for the username/password thing. Its free, too.
Cheers,
Ben.
--
ApacheCon! 13-17 November! http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list