USPS To Provide Personal Identity Certification 259
Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...
Sounds like... (Score:4, Interesting)
Re:The Post Office? Seriously? (Score:2, Interesting)
They'd already sort of be competing with Verisign and other certificate authorities that use various ways to verify your identity. I don't know what is worse, dealing with Verisign or dealing with the USPS.
Who am I? (Score:3, Interesting)
What's important is that the PDF is unique. Once it becomes clear that a PDF is associated with a spammer, the PDF will become useless, no matter who it claims to belong to.
Certificates (Score:5, Interesting)
Seems pretty secure to me.
The only thing it works for so far is tax stuff, and mail.
Patriot Act Tie In (Score:3, Interesting)
2.1 Eligibility For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Postal policy includes: 1. Use of a Patriot Act compliant database vetting process to gain initial assurance of an applicant's identity before sending the applicant to the Postal Office for IPP.
Yay, more data to shove into the Patriot Act machine. What a bargin!
Re:The Post Office? Seriously? (Score:5, Interesting)
Am I missing something? (Score:0, Interesting)
Sheesh!
Re:Deutsche Post did that (Score:3, Interesting)
Maybe I misunderstand the Federal Register text, but I think the USPS doesn't intend to act as a CA itself, but to verify the identity of people for other CAs. The closest Deutsche Post equivalent to that would be PostIdent. [deutschepost.de]
No postage due (Score:2, Interesting)
The other failing is it would be trivial to simply lie about the number - that is, if a number is required (just as an IP is now) then spammers will simply make one up. In order for a "valid" number to be required to traverse mail then every email would have to be authenticated through a central database. Thus, it's completely impractical as a means of reducing spam anywhere except the end user's mailbox. And we already have plenty of ways of doing that.
It IS useful, however, if you and I want to enter into a transaction without having to use the banking system. You send me merchandise, I send you cash - and if either of us defaults there is a reliable means of tracking the individual and holding them responsible. It's almost like a nationwide ebay ID in that "bad traders" can be reliably tracked and, therefore, blacklisted. On THAT level it's quite practical and, from the POV of one who refuses to use plastic, a welcome alternative.
Postal employees better than you think (Score:5, Interesting)
Complaints will be handled by people too slow to work at the Department of Motor Vehicles.
I repeat the following story every time I hear someone insult a postal worker.
One day I needed to get something in the mail THAT day, and I wasn't able to get down to the post office. I caught the mailman as he was driving up to the mailbox, and handed him the letter. Except I didn't have enough postage- I had forgotten about the rate increase that had happened recently.
Now, if the guy had wanted to be an asshole, he could have refused it- but he said "you got any change? I'll put the extra postage on it when I get in" I had a quarter on me, gave it to him, and was happy that I had probably still spent less money than the gas it would have taken to get to the post office and back.
What bowled me over was that the next day, he parked, came to the door, and handed me change. I was blown away that he bothered for such a small amount, and had expected him to (rightfully, far as I was concerned) pocket the 15-20 cents for the trouble of having to 'buy' and slap on an extra stamp for me.
NOW, if you want to see how patient postal employees are, see what these guys did [improb.com]. It is incredibly funny(the part about the sender trying to argue they should get money BACK for shipping a balloon is hilarious), but there's a serious message in their absurd little experiment(which involved shipping bricks, hammers, dead fish+seaweed, etc), and I'll include their conclusion here:
First, this experiment yielded a 64% delivery rate (18/28), an almost two-thirds success rate. (For our purposes, "delivery" constituted some type of independent handling by the USPS and subsequent contact regarding the object, regardless of whether we got to see or keep the object or whether it arrived whole.) This is astounding, considering the nature of some of the items sent. This compares with a 0% rate of receipt of fully wrapped packages from certain countries of the developing world, such as Peru, Turkey, and Egypt. Admittedly, those were international mailings, and thus not totally comparable; nevertheless, the disparity is striking.
Second, the delivery involved the collusion of sequences of postal workers, not simply lone operatives. The USPS appears to have some collective sense of humor, and might in fact here be displaying the rudiments of organic bureaucratic intelligence.
Finally, our investigation team felt remorse for some of its experimental efforts, most particularly the category "Disgusting," after the good faith of the USPS in its delivery efforts. We sought out as many of the USPS employees who had (involuntarily) been involved in the experiment as we could identify, and gave them each a small box of chocolate.
We, and all scientists, owe a debt of gratitude to these civil servants. Without them, we would have had but little success in pushing the envelope.
Australia Post (Score:2, Interesting)
I don't think that X.509 has been "widely accepted by the community" yet... so I can't find any more details about it..
Re:Australia Post (Score:3, Interesting)
It eventually failed and has never been heard from again. I do remember them sending me a email telling me it was going to be dismantled and I had 12 months more use of my certificate for free.
They also used physical presence ID checks, and I remember walking in my country post office and the postal person looking at me as if I had horns growing out of my head. I was the only person who ever approached him about getting the certificate to this day.
---
Oh goody! Now we can all get our MARK! (Score:2, Interesting)
Tell us, will we be tattoed with it, and if so, will it be on the forehead or the right hand??
(http://patft.uspto.gov/netacgi/nph-Parser?Sect
If you don't believe it, go to the United States Patent Office website and search for APPROVED patent number 5,878,155
and or this, "Method for verifying human identity during electronic sale transactions"
Red Alert! (Score:4, Interesting)
Market droid talk. If they are so good why does the post office need to get into it? Other talk about "demand", "unique service opportunity" and trusted computing has my back up. It's all so Microsoft sounding. But that's just the beginning.
They are going to use "comercial database checking", and the databases must be "Patriot Act Compliant". While the commmercial database check looks like coroprate welfare, it the Patriot act part looks like a land grab. What, besides any old G-man clerk having the athority to look at all of your data, constitues Patriot Act Complience?
The authentication method is first class mail. and a file that dissapears in four years. I'm not going to think very hard about all the ways to defruad the post and defeat this system, but mail fraud is still a common problem. The dissapering file is the real clincher. What "top quality private sector bussines" has a patent on DRM OS and has been touting files that expire as a means to "trusted computing"?
Having a certificate athority is good. Using that need as a means to nationalize software, usurp private databases, funnel tax money into private hands and foce everyone to use propriatory software is not good. The system needs to be run on proven free and open standards in a non-revocable manner.
The USPO is going to have to do better than that to win my trust. I've got one Microsoft machine for talking to an old camera and a scanner. I don't let it see the internet because it's so easy to break and own. Any plan that would force me to use software I don't trust for ecommerce is a plan I don't trust or want.
Two years ago, some moron told me that the US government would make it illegal to run anything but Microsoft software. He actually thought this was a good idea and was convinced it would happen. I told him that would violate the first amendment rights to free speech, and effectivly nationalize general purpose computing and such laws were laughably unAmerican. I'm not laughing anymore.
Someone tell me I'm just paranoid, please.
Re:The Post Office? Seriously? (Score:3, Interesting)
Old News, but Interesting (Score:5, Interesting)
I was actually one of the developers of this project (three years ago), and it is funny to see that they are finally "announcing" it.
The idea is simple, and it is actually a useful service that the USPS has the resources to provide, if they actually go through with it. Whereas SSL only authenticates the server (among other things, of course), the allocations for client authentication in SSL are optional and very rarely used. All the client needs for this is its own digital certificate, just like the server has its certificate.
So, to get an SSL certificate, we (whether we like it or not) trust the various CAs to make certain that they are granted to the rightful owners. When it comes to client certificates, the scope of the problem becomes much larger, because you are authenticating people rather than domains. If you fail to properly identify someone before issuing the digital certificate, the point is lost.
The USPS has post offices all over the US (their only country of concern in this case), and this fact provides the perfect platform for authenticating people. Just as with Passports, you must prove your identity in person before being authenticated.
How do the pieces fit together? Well, it is fairly simple, but it involves a lot of existing systems, some of which are aging. You register online (providing much personal information, including what forms of ID you will be bringing with you). This generates a letter that is sent to your address (verifying your address in the process). You take this letter to the post office, and if you pass the in-person proofing, the clerk scans the barcode on the letter. This scan makes its way back to the system in about 24 hours, and then your digital certificate is generated. An email is sent to let you know, and you can then download it from the Web site after logging in.
At any rate, I still think the general idea is a good one, and this would be a useful service for a lot of people. I hope it is successful.
Re:Is this the start of it? (Score:3, Interesting)
eBay will give out sellers' information to whomever, whenever. To find out who owns a PO box generally requires a subpoena.
Re:The Post Office? Seriously? (Score:3, Interesting)
Besides, $
USPS Approved Document Time Stmaps??? (Score:3, Interesting)
Ever like to prove to somebody that a document existed at a certain date? "Mail it to yourself. It's got the postmark."
Well, besides the fact that this ploy would never stand up in court (it's too easy to steam the flap open), it's a good idea.
How about the USPS providing a digital document time-stamping service? What good time-stamps are availible out there that would stand a test at the patent office, for example???
Re:Postal employees better than you think (Score:3, Interesting)
But now, the USPS will take your money with a smile, and lie to you about the delivery date. The bastards deliver your packages early almost every single time, blasting packages halfway across the country in two days for less than a dollar, or blasting them halfway across the planet in less than a week still for a very reasonable sum.
The USPS has changed from competition from the likes of FedEx and UPS, and they are now very, very good at what they do.
Token USPS Endorsement (Score:3, Interesting)
These people obviously don't know what it's like outside the United States. yes, I live in the US and I was born here, but I have been around enough to know that the US is where I belong. And the USPS is a great example of why it's so great to live in America. As big as the country is, 2-3 days is usually enough to get mail from anywhere to anwhere (Continental US, of course). I mail things with absolutely no fear of anything getting lost, and I have never known of any situation where something was legitimately lost in the mail.
It's always been an excuse, and a useful one for certain people, since it's impossible to disprove (can't that a letter than can't be found and that wasn't tracked was ever sent). Anyway, I'm sure some people have had trouble with the postal service, and we've all had run-ins with specific postal workers who don't care about their jobs (just like at McDonald's and Kmart and every government office).
The only negative experience I ever had with the actual service was a long time ago... like 15 years or so. A letter had been accidentally "mutilated" on the way to my mailbox. That was their word, not mine. It had obviously gotten caught in some sort of machine and it was useable and readable. But it came sealed in a special plastic covering with an amazingly-apologetic statement, just going on and on about how much of a disappointment and an inconvenience they had been to me. I couldn't believe it.
Ok, I'm done ranting. Continue slamming the postal service all you want. Oh, and by the way, I think this is a good idea. This is an organization that has a high degree of trust and is available for everybody in the US to easily to the in-person visit. Brilliant.
RP