USPS To Provide Personal Identity Certification 259
Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...
Is this the start of it? (Score:5, Insightful)
Amazing what the USPS does do with mail. (Score:5, Insightful)
Have I had mail lost? Yes. Is it annoying? Yes.
But, think about how amazing it is about what the USPS does right. It moves billions of pieces of mail every day, and almost all of it (percentage wise) gets to where it should be going in spite of the fact that not every piece of mail can be automatically routed and multiple people end up looking at it at one point or another. And, in spite of the price increases, I can still send a letter anywhere in the US for 37c and it'll usually get there within a 2-3 days.
Sure, dealling with the post office is a pain occasionally, and they do lose some mail. But, when I think about the scope and scale of what they do right, it does boggle my mind.
good idea? Maybe.... (Score:2, Insightful)
email anonymity and spam (Score:3, Insightful)
Ramifications (Score:5, Insightful)
By attaching services such as online tax refunds or filings, the public will be
Let me see your papers, please!
Re:Is this the start of it? (Score:5, Insightful)
Look, anything that can possibly improve the situation that someone picking up my social security number and date of birth and a few other simple facts about me can end up stealing my identity is a good thing. We're increasingly reliant on computers and digital information yet we have no decent national digital signature infrastructure in place. It is a very sad state of affairs when my mother's maiden name can still be expected to be used as some kind of secure authenticator to protect my bank account information.
Like a PGP key signing party-- (Score:3, Insightful)
I am concerned that what begins as a voluntary initiative will one day become quasi-mandatory, like carrying a driver's license.
-ccm
Uh-huh... (Score:2, Insightful)
couple of concerns... (Score:3, Insightful)
2) How good is the procedure to replace a lost/stolen certificate?
3) What good is this for people not in the US?
4) If someone lives in the US, gets one of these, and then moves, can it still be updated/replaced?
5) I forget the other question.
Granted, I only skimmed the article, so I may have missed the answers, but still....
Re:Amazing what the USPS does do with mail. (Score:5, Insightful)
non-USA email (Score:3, Insightful)
Re:Sounds like... (Score:5, Insightful)
The problem with people complaining about paying is that, for things that are worthwhile, its not about the money. Eventually you will have to pay for something, you are better off spending money on what you want, as opposed to getting what you dont want for free.
But the USPS won't issue the certs, correct? (Score:5, Insightful)
Great. Just great. Now I get to deal with the Post Office and Verisign when I want to lock down an SSL site.
Please shoot me.
I hate X.509 (Score:4, Insightful)
I hate X.509. It's cumbersome and weird (that extra 'cert request' step), while also being functionally lame (only one signature, and you have to either completely trust it or not). Why anyone would want to use that when there's something so much better available (OpenPGP), is beyond me.
Re:Postal employees better than you think (Score:3, Insightful)
That's a good story. I like the mailman that comes to my house; he's a nice guy, and I imagine he'd probably do the same thing for me. In fact, the whole post office in my small town is staffed by genuinely nice, friendly people and I feel kind of guilty about lumping them in with my other generalities.
However, I've also been into post offices where I really wished I was armed to protect myself from both the patrons and the staffers. Unfortunately, those are the experiences that tend to resonate with the population.
Re:Amazing what the USPS does do with mail. (Score:3, Insightful)
Re:The Post Office? Seriously? (Score:3, Insightful)
Get FedEx to pick up a letter in White's City, NM and deliver it to Buttfuck Alaska in less than a week for 40 cents.
Ask UPS to deliver some RAM from your home in the middle of nowhere in Vermont to suburban Seattle in two days flat for $3.85.
Re:Amazing what the USPS does do with mail. (Score:3, Insightful)
Heh, my mail carrier doesn't even bother to buzz my doorbell, about two feet away from the box. Yet he still says he takes the package with him. What is the point in that? What really annoys me is that my post office arranges their packages by day of arrival instead of address so there is always a huge line, then you get up there and they can't find the package.. this is especially true if it is something small like certified letter. I have a sneaking suspicion they don't separate these and just pile hundreds of packages on top of letters.
The upshot is I meet a lot of my neighbors, for better or worse, and we trade snail-mail horror stories. Two women told me about a sting operation her family ran that had one person standing by the mailbox, one at the post office, another chasing the delivery van.. and finally a last person conveying messages between them. They managed to get the package in just one day of work. It really was on the van despite stringent denials by the mail carrier, but the post office kept saying things like "oh, the package just went out to the van," "oh, I just left it back at the post office," "we just sent someone out to deliver it, you better hurry home so you don't miss the delivery!" This didn't happen to me, but with my experiences I do believe it. When I get a package notice at home half the time I just ask who ever made the mistake sending it there to send it to my work or to my local package service, when it eventualy gets returned.
Re:Amazing what the USPS does do with mail. (Score:4, Insightful)
You might talk to your local postmaster and see if there is some reason he doesn't knock on the door.
require one of these for a change of address form (Score:3, Insightful)
as far as i can tell (and the USPS may have updated their policy since the last time i moved) there's no ID, or any kind of proof of identity for that matter, involved in filling out a change of address form. that, and no confirmation after the fact that it had been accepted and processed - other than your mail showing up at the new address with a big yellow sticker over the address. i.e. nothing to prevent someone filling out a form for somebody else
in fact, i read several years ago in a book of "dirty tricks and practical jokes" that a fun little prank to pull on someone you don't like was to fill out a change of address form for them - forwarding their mail to an address in another state. another fun one was to send a threatening letter to 1600 pennsylvania ave with their return address. postal inspectors *and* secret service when the prez is in town. fun for the whole family!
now, tell me they've updated this procedure - which used to be done with a simple mail-in form - or else tell me how i'm supposed to trust this same organization as an authority regarding someone's identity.
Illegals ID themselves for jobs, so can this work? (Score:4, Insightful)
Questions (Score:3, Insightful)
1) What kind of certificate is being given? X.509?
2) What private information is kept by the user to be used to encrypt or sign data? In PGP you have a key that's usually thousands of bits long. I just read that X.509 certificates only use a password. If this is true, wouldn't it be a lot easier to crack? For example, by encrypting data with tiny passwords until a browser or e-mail program accepts it?
3) How is the private info given to the user? If it's in person when the user signs up, then it has to be randomly generated since no one at the office should see it. If it's sent in the e-mail notice for downloading the certificate, that can't be secure can it? So it must be given at sign-up in a sealed envelope right?