Pki And The Poor Helpdesk Lady

posted: January 29th, 2009

For security reasons I store my ATO Business portal certificate on a Rainbow ikey 3000, so when I attempted to renew my certificate ATO’s website gave me a ‘certificate is not a valid production Tax office certificate’ error.

I called ATO tech support and the helpdesk lady gets me to go through the usual gauntlet of help desk blind-led questions:

  • What operating system are you using? “Windows XP”, I replied (I didn’t want to tell her I was running it as a virtual machine !) “Home or Professional” she asked. “Um..Professional, ahem Professional”
  • What is your Service pack level? “3”, I said. 
  • Are you using a network? “Um…Yes. Just a home network”
  • What firewall are you using sir? “Monowall” 

I told her the error message I was getting and she instructs me to go into the CSI certificate management utility. We do the shuffle again…Start Menu…All Programs - CSI blah blah.

I tell her that my cert is stored on the smartcard and not the usual CSI store but she responds that the cert isn’t actually on the smartcard but is rather on the computer and then gets me to deselect the Microsoft CAPI store (aka on the smartcard, where my cert actually resides).

Naturally I enthusiastically obey and the certificate disappears from view! I told her and there is a long pause. After about 30 seconds she asks if it is OK to put me on hold.

After a while she says “your certificate is not a valid ATO certificate”. Now prior to calling I had just logged onto the Business Portal so I know for certain that the cert is valid and working.

So I thought…”I can successfully login to the ATO with a invalid certificate - REALLY! Then the Australian government’s ATO PKI infrastructure has been compromised!!!”

Anyway she was very nice about it and advised me that I would receive a call from an escalations team in a couple of days. I felt quite sorry for her as my configuration might have been a tad over what she would have encountered on an everyday basis.

In the end they told me that storing the certificate on a smartcard was not supported so I am now back to storing the cert in a java certificate store. So much for better security!