NHS Smartcard integration


(Andrew Anderson) #1

Just wondering how the NHS Digital Identity Agent and Java will all work with this. Does WINE come into play?


(Adrian Wilkins) #2

Depends on whether the ID Agent is all Java or whether it uses native APIs.

Java is available on Linux too (OpenJDK has been the official reference implementation for a while now).

Is the source for the identity agent available?


(Andrew Anderson) #3

They are available here http://nww.hscic.gov.uk/dir/downloads/ - and are used in GP Practices, Pharmacies, Primary Care and clerical areas. Quite important that they are usable to access NHS SPINE services. Is this being looked at?

We run them with Java 8u11 as the MEDIUM security setting is required for some sites and applets to run.


(Adrian Wilkins) #4

Ah, sadly I have no N3 access, I used to work for NHS Digital (when it was CfH / HSCIC) but no longer.

We run them with Java 8u11 as the MEDIUM security setting is required for some sites and applets to run

>-<

Why does security always take a back seat to expedience? (the fault of the supplier of these applets, of course).

Reading the changelog for 8u20 - is it the “applets must be at least version 5” or the “smartcard reset” change? I’m guessing the former.


(Rob Dyke) #5

I just merged in some materials for our work on seamlessRDP with smartcard support.


(Rob Dyke) #6

In a reply to a post in the Debian Medical thread, I wrote:

Right now the ‘missing piece’ is the Identity Agent, the code that pings
the Spine endpoint when the PIN is entered and is used to wrap up token
requests with the certificates. With that piece of code we would be able to
use the smartcard with any browser and access web services that require
Spine authentication.


(Iain Lennon) #7

As a newcomer to this site but with a project in mind, I read this thread with interest.

Given how central smartcard authentication is to the current NHS systems (and how much easier than having multiple systems) is it not going to be easier to actually pay someone to write this. It could be tested against one of the test spines, but without this functionality we aren’t going to be able to move away from windows. Nor are providers necessarily going to do the work to migrate browser based apps away from IE without it.


(Marcus Baw) #8

You’re absolutely right, NHS Smartcard integration is possibly one of the highest priorities in terms of next development steps. I’m not sure about getting someone else to write it - the NHS customised the Identity Agent for Windows, so we’re hoping to be able to apply some central pressure to do the same for other OSs. Interestingly the Identity Agent (Smartcard) system has some hard-coded dependencies to Gemalto that we’re hoping to sort out as well.

In the end it is the NHS which will save hundreds of millions of pounds from not having to purchase Windows licenses, so there’s a reasonable assumption they have an interest in doing this. The ‘new’ Spine (replatformed 2014) runs Ubuntu internally anyway. We know many of the Spine engineers.


(Graham Verbrugge) #9

Just wondered if your distribution includes the smartcard driver extensions for use within Firefox / Chrome for Linux i.e. Gemalto / Oberthur; Or would the users have to use spine features via vagrant virtual machine and Internet Explorer?


(Marcin Cieślak) #10

I am not involved with NHS a lot, but did some #smartcard hacking and I wonder, what are the components really used there? I managed to make some cards to work by cheating the Java applet into thinking it is running on Windows and switching it over to an OCF/PCSC bridge. Is the smartcard structure closed and cannot be read by normal tools? Vendors love proprietary APIs for that and we wonder later there is zero interoperability in the identity business.