USPS To Provide Personal Identity Certification

Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...

Deutsche Post did that

[sebmol]

Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication. Last time I heard about it, it was being scrapped due to a lack of demand.

Article text

[Anonymous Coward]

35922 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 /
Notices
Dated: June 12, 2003.
D.L. Gamberoni,
Technical Coordinator, Office of the Secretary.
[FR Doc. 03-15347 Filed 6-13-03; 11:53 am]
BILLING CODE 7590-01-M
POSTAL SERVICE
In-Person Proofing at Post Offices
(IPP) Program
AGENCY: U.S. Postal Service. ACTION: Notice.
SUMMARY: The USPS is announcing the availability of an In-Person Proofing at Post Offices (IPP) Program to support the activities of U.S. Certificate Authorities and government organizations.
EFFECTIVE DATE: June 9, 2003.
FOR FURTHER INFORMATION CONTACT: Chuck Chamberlain at 703-292-4172, or Brad Reck at 703-292-3530
SUPPLEMENTARY INFORMATION: In recent years, a number of new federal statutes have sought to preserve the ability of the public and private sectors to use the efficiency of the internet to rapidly exchange time sensitive communications while assuring that people receiving and sending messages are in fact who they say they are. A number of top quality private sector businesses have mastered the technology around the use of secure digital signatures, yielding a greater demand for improved identity verification for individuals seeking to use digital signatures.
This need for improved ''online identity'' creates a unique service opportunity for the Postal Service to provide value to the public, leverage our retail network and enable internet communications to enjoy a new level of security and reliability. Numerous organizations have approached the U.S. Postal Service to conduct In-Person Proofing (IPP) of customers nationwide for physically authenticating an individual's identification at a post office before the organization issues a digital signature certificate to the individual.
IPP supports efficient, affordable, trusted communications through the use of identification verification at Post Offices, incorporation of process enhancements required by the Postal Service, active management of the IPP program by the USPS, and use of a First Class U.S. Mail piece to verify physical addresses of applicants. We believe that IPP conducted at local post offices will create a new broad based capability for the Nation that promotes improved public trust and greater efficiency in the electronic delivery of a wide range of services. These efforts support achieving the goals of the Government Paperwork Elimination Act of 1998, Electronic Signature in Global and National Commerce Act of 2000, Health Insurance Portability and Accountability Act of 1996, Sarbanes- Oxley Act of 2002, and Gramm-Leach- Bliley Act of 1999 and numerous Presidential Directives on eGovernment. The following is a brief description of how IPP would work. An organization can establish a relationship with a qualified U.S. Certificate Authority to integrate digital signing with improved identity verification into an online application. Any individual desiring to use digital certificates that include USPS IPP will complete an application online. The online system will verify the individual's identity via commercial data base checking. The system will then produce a standard Postal Service form to be printed out at the ''applicant's'' personal computer. The individual requesting the service will present this form to a participating post office where the ''In Person Proofing'' process is conducted. After successful completion of the IPP event, the CA will notify the applicant to download their digital certificate. For clarity, the steps in the IPP process are outlined below.
1.0 DESCRIPTION
1.1 Purpose
IPP is a postal program to improve the public key infrastructure of the Nation. The public key infrastructure has emerged as an accepted infrastructure component for protecting and facilitating the electronic communications of the Nation.
2.0 BASIC STANDARDS
2.1 Eligibility
For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Po

in bulgaria

[darp]

I saw this in Bulgaria. Few online banking sites require use of digital certificates and username/password. You have to go in person to one of the bank branches before you can get a digital certificate. Once having the certificate one can do a lot of things that we can;t here in US - online transfers, forex, etc

pdf -- txt

[CowBovNeal]

35922 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 / Notices
Dated: June 12, 2003.
D. L. Gamberoni,
Technical Coordinator, Office of the Secretary.

[FR Doc. 03Ð 15347 Filed 6Ð 13Ð 03; 11: 53 am]
BILLING CODE 7590 01 M

POSTAL SERVICE
In-Person Proofing at Post Offices (IPP) Program

AGENCY: U. S. Postal Service.
ACTION: Notice.

SUMMARY: The USPS is announcing the
availability of an In-Person Proofing at Post Offices (IPP) Program to support
the activities of U. S. Certificate Authorities and government
organizations.
EFFECTIVE DATE: June 9, 2003.
FOR FURTHER INFORMATION CONTACT:
Chuck Chamberlain at 703Ð 292Ð 4172, or Brad Reck at 703Ð 292Ð 3530

SUPPLEMENTARY INFORMATION: In recent years, a number of new federal statutes have sought to preserve the ability of the public and private sectors to use the efficiency of the internet to rapidly exchange time sensitive communications while assuring that
people receiving and sending messages are in fact who they say they are. A
number of top quality private sector businesses have mastered the
technology around the use of secure digital signatures, yielding a greater
demand for improved identity verification for individuals seeking to
use digital signatures. This need for improved '' online
identity'' creates a unique service opportunity for the Postal Service to
provide value to the public, leverage our retail network and enable internet
communications to enjoy a new level of security and reliability. Numerous
organizations have approached the U. S. Postal Service to conduct In-Person
Proofing (IPP) of customers nationwide for physically authenticating an
individual's identification at a post office before the organization issues a
digital signature certificate to the individual.
IPP supports efficient, affordable, trusted communications through the use
of identification verification at Post Offices, incorporation of process
enhancements required by the Postal Service, active management of the IPP
program by the USPS, and use of a First Class U. S. Mail piece to verify physical
addresses of applicants. We believe that IPP conducted at local post offices will
create a new broad based capability for the Nation that promotes improved public trust and greater efficiency in the
electronic delivery of a wide range of services. These efforts support achieving
the goals of the Government Paperwork Elimination Act of 1998, Electronic
Signature in Global and National Commerce Act of 2000, Health
Insurance Portability and Accountability Act of 1996, Sarbanes-Oxley
Act of 2002, and Gramm-Leach-Bliley Act of 1999 and numerous
Presidential Directives on eGovernment. The following is a brief description of
how IPP would work. An organization can establish a relationship with a
qualified U. S. Certificate Authority to integrate digital signing with improved
identity verification into an online application. Any individual desiring to
use digital certificates that include USPS IPP will complete an application
online. The online system will verify the individual's identity via commercial
data base checking. The system will then produce a standard Postal Service
form to be printed out at the '' applicant's'' personal computer. The
individual requesting the service will present this form to a participating post
office where the '' In Person Proofing'' process is conducted. After successful
completion of the IPP event, the CA will notify the applicant to download their
digital certificate. For clarity, the steps in the IPP process are outlined below.

1.0 DESCRIPTION
1.1 Purpose
IPP is a postal program to improve the public key infrastructure of the Nation.

The public key infrastructure has emerged as an accepted infrastructure
component for protecting and facilitating the electronic
communications of the Nation.
2.0 BASIC STANDARDS
2.1 Eligib

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Certificates

[NearlyHeadless]

I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.

Seems pretty secure to me.

That verifies your snail mail address, not your identity.

Re:great!

[Ever Dubious]

Actually a division of the US DOD? Bullshit. From the USPS web site:

United States Postal Service

The Post Office Department was transformed into the United States Postal Service, an independent establishment of the executive branch of the Government of the United States. The mission of the Postal Service remained the same, as stated in Title 39 of the U.S. Code: "The Postal Service shall have as its basic function the obligation to provide postal services to bind the Nation together through the personal, educational, literary, and business correspondence of the people. It shall provide prompt, reliable, and efficient services to patrons in all areas and shall render postal services to all communities."

The new Postal Service officially began operations on July 1, 1971. At that time, the Postmaster General left the Cabinet, and the Postal Service received:

* Operational authority vested in a Board of Governors and Postal Service executive management, rather than in Congress.
* Authority to issue public bonds to finance postal buildings and mechanization.
* Direct collective bargaining between representatives of management and the unions.
* A new rate-setting procedure, built around an independent Postal Rate Commission.

Title 39, the Postal Reorganization Act, also vested direction of the powers of the Postal Service in an 11-member Board of Governors. Nine members (the Governors) are appointed by the President, by and with the advice and consent of the Senate. They serve staggered nine-year terms, and no more than five Governors may belong to the same political party. Governors are chosen to represent the public interest generally, may not represent specific interests using the Postal Service, and may be removed only for cause.

Re:Uh-huh...

[hbo]

No, the certificate authority would sign your personal certificate, just like they do now. The USPS would have an arrangement whereby they would prove that you are who the certificate says you are through a visit to your local Post Office. The central certificate repository would be at the CA.

The Big Brother aspect comes in the arrangement between the USPS and the CA. As noted above, the CA would be required to check your identity against a Patriot Act database before passing the request on to the Post Office. Reading between the lines, it would seem that information collected from you in your CSR might end up refreshing the data in the Patriot Act database. Combine that with the requirement that certificates expire after four years, and you have a mechanism to keep that national database current. All of this is good IT/database practice. But in the hands of the Government, it raises concerns.

Don't blame just the USPS, geez

[EvilStein]

"Funny, they don't seem to always know where to deliver so-called first-class mail ..."

No, not very funny. Rather clueless. Did you know that the USPS has domestic airlines carrying mail?
I can't even count the times I've found stray (or lost) bags of mail in aircraft. One of my many job functions when I worked for a ground handling company was to make sure that mail for Anchorage actually got *on the right aircraft* and didn't wind up on a flight to Miami. We'd actually check behind the belly toolbox on that old nasty DC-8 looking for mail bags.
Ever seen a 55' truck back up to a DC-6? Yes, folks. Bulk loading 33,000lbs of mail into a friggin DC-6 bound for northern Alaska.

Sure, mail gets lost sometimes, but it's not always the fault of the USPS.

USPS offers to outsource services to CAs

[Anonymous Coward]

A more careful reading of the article indicates that the USPS plans to offer its post offices as digital signature identity proofing front offices to CAs.

The basic idea is that CAs can leverage the thousands of existing post office branches to outsource the hanling of the proofing services.

Of course, besides having their root certificate stored in Explorer and Netscape/Mozilla, the only other real competitive advantage of CAs has to do with their verification processes. Its not clear if they would be willing to outsource them. The USPS could then easily add its own root certificate to the popular browsers and eat their cake.

Re:Postal employees better than you think

[Xolotl]

Other odd items which I have seen or know at first hand as having been sent throught the British Royal Mail - a postcard scratched onto a piece of slate, sent by a field trip back to the Sedgwick Museum of Geology in Cambridge [received, and now used as a slate sample in teaching students, still with stamp and message], a jelly in an envelope [received in a plastic bag with an apology for its somewhat squashed state] and a biscuit, unwrapped with stamp directly attached [received, IRC also in plastic]. Somebody should write a book on odd things sent through the post, it would be a great read.

I was also particularly impressed when my mother received a letter from abroad with just her name and the town as the address; the town is a suburb of London and must number several tens of thousands of inhabitants at the very least.

Hong Kong's SmartID Project does this....

[shri]

http://www.smartid.gov.hk/en/index.html

and so does Hong Kong Post.

http://www.hongkongpost.gov.hk/product/ecert/typ e/ smartid/index.html

Re:The Post Office? Seriously?

[Martin Blank]

Delivery of a two-pound, 20"x15"x2" package from California to London:

UPS: $66 (2-5 days)
FedEx: $65 (4-5 days)
USPS: $15 (4-6 days)

You can guess who I went with. It took four days to get there.

Re:Amazing what the USPS does do with mail.

[Uncle Gropey]

As a mail carrier myself, I can tell you that if your carrier isn't going to your door with parcels then he/she isn't doing what they are supposed to do, and you should call in and complain to a supervisor, or even the postmaster themself if you live in a smaller community. In my office, I hear about every single complaint any of my customers have called in, so it does keep me trying not to make anyone mad.

Re:require one of these for a change of address fo

[Anonymous Coward]

Speaking as one who is in the process of moving right now (getting keys to the new apartment tomorrow morning), there actually is verification that it's been accepted and processed. You may not run into it if you don't file the change-of-address form pretty early, though, because it's sent to the old address. And, they're fairly clever about it. They account for the possibility that someone will send in the forwarding order late and someone else will have moved in their place before the confirmation is sent. Because of that possibility, they only list the address that the mail is forwarded from. Thus, the person who moves in after you may get your name, but they do not get your new address.

Just in case anyone cares, here's what the letter looks like:

COMPUTERIZED FORWARDING SYSTEM
UNITED STATES POSTAL SERVICE
1234 STREET_OF_LOCAL_POST_OFFICE RD.
SCHENECTADY, NY 12345


Dear ANONYMOUS COWARD,

The Postal service has received a Change-of-Address Order (PS Form 3575) asking us to forward mail FROM the following address for:

ANONYMOUS COWARD, INDIVIDUAL ONLY

*** PRSRT
(official-looking bar code stuff)
CURRENT RESIDENT OR
ANONYMOUS COWARD
1234 YOUR_STREET, APT 5678
SCHENECTADY, NY 12345
(more bar code stuff)

The purpose of this letter is to confirm that this request to forward mail is correct.

If this Change-of-Address Order is for someone who has already mnoved from this address, no action is needed.

If anything is incorrect with the Change-Of-Address order shown above, or if you did not ask the Postal Service to forward your mail, please call 1-800-ASK-USPS (1-800-275-8777).

... blah blah blah, etc., etc., etc...

So, yes, someone could play a trick on you, but you would at least find out eventually. Still, they could do a little better. They could provide a phone number (or web site) for you to submit a request; then they'd send a computer-generated form to the "from" address for forwarding; only by returning that form could you get the mail forwarded. Unfortunately, what would happen is that more mail would be lost this way, because in the chaos of moving, people naturally forget to forward their mail until after they've moved, and those people would never be able to get through the system...

Hong Kong has it

[lamj]

Hong Kong Post office is teaming up with the government to offer the same thing, this has been available for over a year now. Refer to this link [hongkongpost.gov.hk].

The Hong Kong Government has recently roll out a renew plan for all citizens to renew their ID card (mandatory, must be on the person at all times). This new ID card is a smart card which also allow storage of digital cert.

Because of this mandatory ID, the cert roll out plan (storage and distribution) is relatively easier than other countries.