Revenue uses a “digital certificate” to allow Business customers electronically access their account and sign and submit their returns via Revenue’s secure electronic channel (ROS). Electronically “signing and submitting” represents a legal signature and ensures that the communications and transactions between customers and Revenue cannot be repudiated at a later stage. Developed on a PKI infrastructure, this security underpins all electronic activity for Business Users. 5.3 million Revenue Returns were processed through this channel over the course of 2015, and Ireland is considered as 1st in the EU when it comes to paying taxes (6th globally). The security provided by the Digital Certificate design is core to this success. Over recent years, this solution has been shared with two other national bodies.
Both the Central Registration Office (CRO) and the Department of Transport, Tourism and Sport (DTTAS) use Revenue provided digital certs to authenticate end users and allow them to engage via their different online channels.
As well as the initial engagement and development with these authorities, Revenue continues to engage and provide support to CRO, DTTAS and their end users as required. This includes the provision of new certs, live support, provision of public interface test (PIT) facilities and undertaking significant technical upgrades as required to ensure the infrastructure stays up to date and within existing support agreements. Sharing and the reuse of the Digital Certificate infrastructure has enabled these agencies engage digitally with their end users over a secure and proven architecture.
The solution is based on the OpenID Connect protocol for allowing cross-organisation authentication. Our implementation is based on the open-source MITREid-connect project from the MITRE Corporation and MIT Internet Trust Consortium. Authentication within the solution is handled using PKI (Public Key Infrastructure).
The current engagement which is in place with both CRO and DTTAS can be extended to other organisations with minor additional development and provision of end user support as the organisation engages in testing with Revenue. The same solution is used for signing into Revenue Online Services (ROS), which is used by businesses, tax agents and self-employed individuals for filing declarations and making payments, and therefore sees high volumes during peak filing periods.
All of Revenue’s developments adhere to a set of standards which underpin the delivery and governance approaches. Supported by a Programme Management Office (PMO), this ensures a reliable and repeatable approach to Project Delivery. A standard tenant of this approach is that, where 3rd parties (such as CRO and DTTAS) are involved in a project, that appropriate communication and consultation milestones are established, agreed to and actively monitored. Both CRO and DTTAS were involved in this process.
The role of both CRO and DTTAS was to confirm specific requirements (e.g. cert type) with Revenue. When development was completed across Revenue, CRO and DTTAS, Revenue made a public interface test environment (PIT) for the 3rd parties to engage in testing. It was the role of the 3rd parties to engage in this test phase and confirm to Revenue upon successful exit of the phase. Throughout, Revenue had responsibility for ensuring the availability of the environment, and responding to queries/ issues as they arose. Now that the solution is live, Revenue continues to provide live support for the solution.
Digi certs are actively used to authenticate end users of both the CRO and DTTAS services. On average, just over 40,000 transactions are “signed and submitted” each month from these agencies are completed by Revenue per month in supporting these organisations.
The Digicert solution falls within Revenue’s standard governance approached. As regards stability of the solution, a number of safeguards are in place as part of this standard approach. All changes being introduced to the production environment are subjected to intensive regression testing to mitigate against the potential risk of introducing instability.
Revenue maintain and support a Public Interface Test (PIT) environment which enables CRO and DTTAS engage in testing as they implement change to ensure that the solution continues to function. Revenue provides support during this phase, as well as continued live support. Live support stability is actively tracked and managed, and is reviewed on a weekly basis by Revenue management with actions taken as required.
Technology:
The solution uses the following technologies:
- OpenID Connect is an open specification
- MITREid-connect is an open source project licensed under the Apache License, Version 2.0
- The PKI implementation is based on open specifications, such as the one for PKCS#12 under the Internet Engineering Task Force.
The solution is built on an architecture using primarily open source technologies. The ROS OpenID Connect server is built on Java, based on the MITREid-connect open source project and runs on Tomcat, OpenJDK and Linux. It is hosted behind an open-source Apache HTTPD reverse-proxy and leverages an open-source MySQL database.
The service is downloadable here: http://www.ros.ie/PublisherServlet/info/setupnewcust ( it is mandatory to be tax registered in Ireland )