USPS To Provide Personal Identity Certification

Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...

Is this the start of it?

[Blaine Hilton]

Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery? Not that I'm "totally" against such a system, but it seems like they are misrepresenting the true nature of this.

Amazing what the USPS does do with mail.

[DaRat]

Just a comment about the "Funny, they don't seem to always know where to deliver so-called first-class mail ..." remark.

Have I had mail lost? Yes. Is it annoying? Yes.

But, think about how amazing it is about what the USPS does right. It moves billions of pieces of mail every day, and almost all of it (percentage wise) gets to where it should be going in spite of the fact that not every piece of mail can be automatically routed and multiple people end up looking at it at one point or another. And, in spite of the price increases, I can still send a letter anywhere in the US for 37c and it'll usually get there within a 2-3 days.

Sure, dealling with the post office is a pain occasionally, and they do lose some mail. But, when I think about the scope and scale of what they do right, it does boggle my mind.

good idea? Maybe....

[deque_alpha]

I dunno, while this seems like a great idea on the surface, I am a little leery about going and getting "proofed" for this digital signature. Having not read the article, it seems like just one more database entry on me to be cross-referenced so that I can be "accurately" profiled by the government or whatever other really large entity decides they want to. I'll stick to my GPG signature, thanks. But then again, maybe my foil hat needs to be adjusted....

email anonymity and spam

[I Want GNU!]

This sounds potentially like a great method to prevent spam or at least to allow verified mail, but it still doesn't sound like a complete solution. One of the distinguishing characteristics of the Internet is that it allows people anonymity. If only emails with digital signatures are allowed then anonymous email won't get through. On the other hand, if verified email were possible, it would prevent false positives for spam and Bayesian filters could handle the rest of email. This way emails wouldn't be falsely designated as spam and everything would get through.

Ramifications

[the_pointman]

The USPS' idea for certified proofing for digital signatures is in the right direction for securing financial transactions, helping to prevent spam (in the case of accepting emails only e-signed from registered people), but initiating such a project will bring the US closer to a National ID card.

By attaching services such as online tax refunds or filings, the public will be /required/ to register with the USPS in order to take advantage of the online filings with the IRS. Sure, but what if people just file in paper? Without a doubt, the government will then ad a fee to paper filings to encourage taxpapers (everyone) to register with the USPS service.

Let me see your papers, please!

Re:Is this the start of it?

[Anonymous Coward]

Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery?

Look, anything that can possibly improve the situation that someone picking up my social security number and date of birth and a few other simple facts about me can end up stealing my identity is a good thing. We're increasingly reliant on computers and digital information yet we have no decent national digital signature infrastructure in place. It is a very sad state of affairs when my mother's maiden name can still be expected to be used as some kind of secure authenticator to protect my bank account information.

Like a PGP key signing party--

[ccmay]

Like a PGP key-signing party -- remember those? -- but without the party, and only a surly union-slug postal clerk instead of dozens of new and interesting techie friends. Too bad it never really caught on except as a way to check your open-source downloads.

I am concerned that what begins as a voluntary initiative will one day become quasi-mandatory, like carrying a driver's license.

-ccm

Uh-huh...

[Angry Pixie]

So the digital certificate could be used to validate the mail I sent really came from me? Oh, I'd just attach the certificate to the email? Oh, there's a central repository where all the email addresses I might use can be linked to the certificate? Oh, how lovely... and who would this repository be available to? Only the government? Oh grand. Sign me up!

couple of concerns...

[tx_kanuck]

1) How well will this work with other authtication techniques? (ie. if other postal systems start this, will there be interoperability? If so, who coordinates this?)

2) How good is the procedure to replace a lost/stolen certificate?

3) What good is this for people not in the US?

4) If someone lives in the US, gets one of these, and then moves, can it still be updated/replaced?

5) I forget the other question.

Granted, I only skimmed the article, so I may have missed the answers, but still....

Re:Amazing what the USPS does do with mail.

[jdcook]

Mod parent up. I love how /. editors make fun of the post office for an almost imperceptible error rate in billions of pieces of mail but cannot even post a hundred stories in a row (I'm guessing) without a dupe or other obvious error.

non-USA email

[innocent_white_lamb]

Not all email that doesn't originate in the USA is spam. Using this as a spam filter would balkanize Internet email and make it "domestic USA mail only" for US residents, and available internationally only for those who live elsewhere.

Re:Sounds like...

[t0ny]

The post office proposed offering email as a provided service long ago. But your complain has little merit, because many spam-stopping plans already propose adding a "cost" to email, even if it is a nominal fee such as $.01/message. A corportation would shrug at having to pay $8/day for email, but would a bulk mailer sending millions of messages per hour?

The problem with people complaining about paying is that, for things that are worthwhile, its not about the money. Eventually you will have to pay for something, you are better off spending money on what you want, as opposed to getting what you dont want for free.

But the USPS won't issue the certs, correct?

[Just Some Guy]

After reading the article (hey! There's a first for everything!), it seems as though the USPS will only be providing official ID verification to 3rd-party CAs who will use it to determine whether they, not USPS, will issue the cert. In other words, the USPS will only be vouching for you to the CA - they won't be authenticating you to the public at large.

Great. Just great. Now I get to deal with the Post Office and Verisign when I want to lock down an SSL site.

Please shoot me.

I hate X.509

[Sloppy]

Forget this X.509 crap, I want postmaster@usps.gov to sign my PGP key!

I hate X.509. It's cumbersome and weird (that extra 'cert request' step), while also being functionally lame (only one signature, and you have to either completely trust it or not). Why anyone would want to use that when there's something so much better available (OpenPGP), is beyond me.

Re:Postal employees better than you think

[Just Some Guy]

I repeat the following story every time I hear someone insult a postal worker.

That's a good story. I like the mailman that comes to my house; he's a nice guy, and I imagine he'd probably do the same thing for me. In fact, the whole post office in my small town is staffed by genuinely nice, friendly people and I feel kind of guilty about lumping them in with my other generalities.

However, I've also been into post offices where I really wished I was armed to protect myself from both the patrons and the staffers. Unfortunately, those are the experiences that tend to resonate with the population.

Re:Amazing what the USPS does do with mail.

[El]

Actually, USPS refuses to drive up my driveway to deliver a package, then leaves a postcard in my mail box telling me they attempted delivery. Of course, when I take that postcard down to the post office, they tell me they can't let me have my package because the carrier is still driving around with it... look, if you're not going to bother even checking to see if I'm home, why not just leave the damn package at the post office?

Re:The Post Office? Seriously?

[jonnythan]

Yeah?

Get FedEx to pick up a letter in White's City, NM and deliver it to Buttfuck Alaska in less than a week for 40 cents.

Ask UPS to deliver some RAM from your home in the middle of nowhere in Vermont to suburban Seattle in two days flat for $3.85.

Re:Amazing what the USPS does do with mail.

[zenyu]

Actually, USPS refuses to drive up my driveway to deliver a package, then leaves a postcard in my mail box telling me they attempted delivery.

Heh, my mail carrier doesn't even bother to buzz my doorbell, about two feet away from the box. Yet he still says he takes the package with him. What is the point in that? What really annoys me is that my post office arranges their packages by day of arrival instead of address so there is always a huge line, then you get up there and they can't find the package.. this is especially true if it is something small like certified letter. I have a sneaking suspicion they don't separate these and just pile hundreds of packages on top of letters.

The upshot is I meet a lot of my neighbors, for better or worse, and we trade snail-mail horror stories. Two women told me about a sting operation her family ran that had one person standing by the mailbox, one at the post office, another chasing the delivery van.. and finally a last person conveying messages between them. They managed to get the package in just one day of work. It really was on the van despite stringent denials by the mail carrier, but the post office kept saying things like "oh, the package just went out to the van," "oh, I just left it back at the post office," "we just sent someone out to deliver it, you better hurry home so you don't miss the delivery!" This didn't happen to me, but with my experiences I do believe it. When I get a package notice at home half the time I just ask who ever made the mistake sending it there to send it to my work or to my local package service, when it eventualy gets returned.

Re:Amazing what the USPS does do with mail.

[egburr]

Strange, my postman walks down my driveway to deliver packages that require a signature or are too large for the mailbox. My driveway is 200 feet long and the center is 15 feet lower than either end, so he literally does have to walk uphill both ways. Despite that, he is not out of breath (I usually am after walking it twice to haul the garbage to the curb) and has had a smile on his face every time.

You might talk to your local postmaster and see if there is some reason he doesn't knock on the door.

require one of these for a change of address form

[option8]

the last (several) times i have moved, I've gone down to the post office, picked up an official postal change of address form, filled it out and mailed it back in.

as far as i can tell (and the USPS may have updated their policy since the last time i moved) there's no ID, or any kind of proof of identity for that matter, involved in filling out a change of address form. that, and no confirmation after the fact that it had been accepted and processed - other than your mail showing up at the new address with a big yellow sticker over the address. i.e. nothing to prevent someone filling out a form for somebody else

in fact, i read several years ago in a book of "dirty tricks and practical jokes" that a fun little prank to pull on someone you don't like was to fill out a change of address form for them - forwarding their mail to an address in another state. another fun one was to send a threatening letter to 1600 pennsylvania ave with their return address. postal inspectors *and* secret service when the prez is in town. fun for the whole family!

now, tell me they've updated this procedure - which used to be done with a simple mail-in form - or else tell me how i'm supposed to trust this same organization as an authority regarding someone's identity.

Illegals ID themselves for jobs, so can this work?

[John Jorsett]

If we can't screen out millions of illegal aliens who manage to come to the U.S. and present documents that are good enough to let them satisfy the government's requirements to prove to an employer that they are eligible to work in the U.S., how is this going to be better? If the answer is "better documents," how come we aren't requiring those better documents to be presented to the employers?

Questions

[MagPulse]

After reading the article (quickly) I still have some questions:

1) What kind of certificate is being given? X.509?

2) What private information is kept by the user to be used to encrypt or sign data? In PGP you have a key that's usually thousands of bits long. I just read that X.509 certificates only use a password. If this is true, wouldn't it be a lot easier to crack? For example, by encrypting data with tiny passwords until a browser or e-mail program accepts it?

3) How is the private info given to the user? If it's in person when the user signs up, then it has to be randomly generated since no one at the office should see it. If it's sent in the e-mail notice for downloading the certificate, that can't be secure can it? So it must be given at sign-up in a sealed envelope right?