Forgot your password?
typodupeerror
Privacy United States

USPS To Provide Personal Identity Certification 259

Posted by timothy
from the in-their-efficient-cheerful-fashion dept.
Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...
This discussion has been archived. No new comments can be posted.

USPS To Provide Personal Identity Certification

Comments Filter:
  • by sebmol (217013) <sebmol@noSpAm.sebmol.de> on Wednesday July 02, 2003 @05:44PM (#6353502) Homepage
    Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication. Last time I heard about it, it was being scrapped due to a lack of demand.
    • pdf -- txt (Score:2, Informative)

      by CowBovNeal (672450)
      35922 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 / Notices
      Dated: June 12, 2003.
      D. L. Gamberoni,
      Technical Coordinator, Office of the Secretary.

      [FR Doc. 03Ð 15347 Filed 6Ð 13Ð 03; 11: 53 am]
      BILLING CODE 7590 01 M

      POSTAL SERVICE
      In-Person Proofing at Post Offices (IPP) Program

      AGENCY: U. S. Postal Service.
      ACTION: Notice.

      SUMMARY: The USPS is announcing the
      availability of an In-Person Proofing at Post Offices (IPP) Program to support
      the activities of U. S. Certificate Authoritie
    • Canada too... (Score:4, Informative)

      by conner_bw (120497) on Wednesday July 02, 2003 @05:54PM (#6353626) Homepage Journal
      Canada too...

      http://www.epost.ca/ [epost.ca]

      Canadapost, canada's gov snail mail institution, is doing something similar with email where you can pay bills and other such commercial exchanges using their "Electronic Postmark (tm)" technology.

    • They got funded to develop a PKI infrastructure with real verification of identity for the EU.
    • Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication.

      Maybe I misunderstand the Federal Register text, but I think the USPS doesn't intend to act as a CA itself, but to verify the identity of people for other CAs. The closest Deutsche Post equivalent to that would be PostIdent. [deutschepost.de]

  • by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Wednesday July 02, 2003 @05:44PM (#6353504) Homepage Journal
    Of course, your certificate will be snailed to you on the back of a postcard. 10% of them will be lost. Complaints will be handled by people too slow to work at the Department of Motor Vehicles. And although they'll only cost $0.37 to start, their price growth will outstrip inflation. When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

    Other than that, I'm sure it'll be great. When will my local branch (literally in a small town in Nebraska) have their PKI training day?

    • by Anonymous Coward
      When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

      They'd already sort of be competing with Verisign and other certificate authorities that use various ways to verify your identity. I don't know what is worse, dealing with Verisign or dealing with the USPS.

    • by SuperBanana (662181) on Wednesday July 02, 2003 @06:10PM (#6353780)

      Complaints will be handled by people too slow to work at the Department of Motor Vehicles.

      I repeat the following story every time I hear someone insult a postal worker.

      One day I needed to get something in the mail THAT day, and I wasn't able to get down to the post office. I caught the mailman as he was driving up to the mailbox, and handed him the letter. Except I didn't have enough postage- I had forgotten about the rate increase that had happened recently.

      Now, if the guy had wanted to be an asshole, he could have refused it- but he said "you got any change? I'll put the extra postage on it when I get in" I had a quarter on me, gave it to him, and was happy that I had probably still spent less money than the gas it would have taken to get to the post office and back.

      What bowled me over was that the next day, he parked, came to the door, and handed me change. I was blown away that he bothered for such a small amount, and had expected him to (rightfully, far as I was concerned) pocket the 15-20 cents for the trouble of having to 'buy' and slap on an extra stamp for me.

      NOW, if you want to see how patient postal employees are, see what these guys did [improb.com]. It is incredibly funny(the part about the sender trying to argue they should get money BACK for shipping a balloon is hilarious), but there's a serious message in their absurd little experiment(which involved shipping bricks, hammers, dead fish+seaweed, etc), and I'll include their conclusion here:

      First, this experiment yielded a 64% delivery rate (18/28), an almost two-thirds success rate. (For our purposes, "delivery" constituted some type of independent handling by the USPS and subsequent contact regarding the object, regardless of whether we got to see or keep the object or whether it arrived whole.) This is astounding, considering the nature of some of the items sent. This compares with a 0% rate of receipt of fully wrapped packages from certain countries of the developing world, such as Peru, Turkey, and Egypt. Admittedly, those were international mailings, and thus not totally comparable; nevertheless, the disparity is striking.

      Second, the delivery involved the collusion of sequences of postal workers, not simply lone operatives. The USPS appears to have some collective sense of humor, and might in fact here be displaying the rudiments of organic bureaucratic intelligence.

      Finally, our investigation team felt remorse for some of its experimental efforts, most particularly the category "Disgusting," after the good faith of the USPS in its delivery efforts. We sought out as many of the USPS employees who had (involuntarily) been involved in the experiment as we could identify, and gave them each a small box of chocolate.

      We, and all scientists, owe a debt of gratitude to these civil servants. Without them, we would have had but little success in pushing the envelope.

      • I repeat the following story every time I hear someone insult a postal worker.

        That's a good story. I like the mailman that comes to my house; he's a nice guy, and I imagine he'd probably do the same thing for me. In fact, the whole post office in my small town is staffed by genuinely nice, friendly people and I feel kind of guilty about lumping them in with my other generalities.

        However, I've also been into post offices where I really wished I was armed to protect myself from both the patrons and the

        • When I was a kid in the 80s, it was hip to make fun of the Post Office. And rightfully so: they were slow and unreliable. The jokes grew up from real experiences.

          But now, the USPS will take your money with a smile, and lie to you about the delivery date. The bastards deliver your packages early almost every single time, blasting packages halfway across the country in two days for less than a dollar, or blasting them halfway across the planet in less than a week still for a very reasonable sum.

          The USPS has
      • Other odd items which I have seen or know at first hand as having been sent throught the British Royal Mail - a postcard scratched onto a piece of slate, sent by a field trip back to the Sedgwick Museum of Geology in Cambridge [received, and now used as a slate sample in teaching students, still with stamp and message], a jelly in an envelope [received in a plastic bag with an apology for its somewhat squashed state] and a biscuit, unwrapped with stamp directly attached [received, IRC also in plastic]. Some
    • Yeah?

      Get FedEx to pick up a letter in White's City, NM and deliver it to Buttfuck Alaska in less than a week for 40 cents.

      Ask UPS to deliver some RAM from your home in the middle of nowhere in Vermont to suburban Seattle in two days flat for $3.85.
    • Quoth the poster:

      And although they'll only cost $0.37 to start, their price growth will outstrip inflation. When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

      There's truth to what you say, but not as much as you think. The USPS is required by law to deliver to every address, every day (in some really small places they skip Saturdays, I hear). UPS, FedEx, etc. have to make a profit, which means that

  • Sounds like... (Score:4, Interesting)

    by Klev (684090) on Wednesday July 02, 2003 @05:44PM (#6353505) Homepage Journal
    Sounds like an opourtunity to charge us. This seems a lot like the door opening for the postal service's charging to send emails. Why else would they be offering to develop this amazing technology? To make our lives better?
    • Re:Sounds like... (Score:5, Insightful)

      by t0ny (590331) on Wednesday July 02, 2003 @06:02PM (#6353706)
      The post office proposed offering email as a provided service long ago. But your complain has little merit, because many spam-stopping plans already propose adding a "cost" to email, even if it is a nominal fee such as $.01/message. A corportation would shrug at having to pay $8/day for email, but would a bulk mailer sending millions of messages per hour?

      The problem with people complaining about paying is that, for things that are worthwhile, its not about the money. Eventually you will have to pay for something, you are better off spending money on what you want, as opposed to getting what you dont want for free.

  • by Blaine Hilton (626259) on Wednesday July 02, 2003 @05:45PM (#6353514) Homepage
    Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery? Not that I'm "totally" against such a system, but it seems like they are misrepresenting the true nature of this.
    • by Anonymous Coward on Wednesday July 02, 2003 @05:51PM (#6353593)
      Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery?

      Look, anything that can possibly improve the situation that someone picking up my social security number and date of birth and a few other simple facts about me can end up stealing my identity is a good thing. We're increasingly reliant on computers and digital information yet we have no decent national digital signature infrastructure in place. It is a very sad state of affairs when my mother's maiden name can still be expected to be used as some kind of secure authenticator to protect my bank account information.

      • anything that can possibly improve the situation that someone picking up my social security number and date of birth and a few other simple facts about me can end up stealing my identity is a good thing.

        No, anything that does that, is not necessarily a good thing. Entrenching something stupid, to the detriment of vastly superior technology that has been around and proven for more than a decade, is a bad thing. And using the government to do that is even worse, because too many people trust government, s

    • And the database is Patriot Act complaint too!

      1. Use of a Patriot Act compliant
      database vetting process to gain initial
      assurance of an applicant's identity
      before sending the applicant to the
      Postal Office for IPP.
    • You see, unlike certain private businesses [slashdot.org], the USPS takes your privacy a little more seriously, if for no other reason than because they're required to by federal law. When you give them information, being that they are an arm of the federal government (more or less), there is a notice they are required to show you that explicitly spells out what they can and cannot do with your information, who they can and cannot give it to, and under what circumstances.

      eBay will give out sellers' information to whomev
  • by mhore (582354) on Wednesday July 02, 2003 @05:46PM (#6353522)
    what good is a digital signature verified by the Post Office if you are unable to.......... speak?

    Mike.
  • by DaRat (678130) on Wednesday July 02, 2003 @05:46PM (#6353528)
    Just a comment about the "Funny, they don't seem to always know where to deliver so-called first-class mail ..." remark.

    Have I had mail lost? Yes. Is it annoying? Yes.

    But, think about how amazing it is about what the USPS does right. It moves billions of pieces of mail every day, and almost all of it (percentage wise) gets to where it should be going in spite of the fact that not every piece of mail can be automatically routed and multiple people end up looking at it at one point or another. And, in spite of the price increases, I can still send a letter anywhere in the US for 37c and it'll usually get there within a 2-3 days.

    Sure, dealling with the post office is a pain occasionally, and they do lose some mail. But, when I think about the scope and scale of what they do right, it does boggle my mind.
    • by jdcook (96434) on Wednesday July 02, 2003 @05:55PM (#6353635)
      Mod parent up. I love how /. editors make fun of the post office for an almost imperceptible error rate in billions of pieces of mail but cannot even post a hundred stories in a row (I'm guessing) without a dupe or other obvious error.
    • Actually, USPS refuses to drive up my driveway to deliver a package, then leaves a postcard in my mail box telling me they attempted delivery. Of course, when I take that postcard down to the post office, they tell me they can't let me have my package because the carrier is still driving around with it... look, if you're not going to bother even checking to see if I'm home, why not just leave the damn package at the post office?
      • Actually, USPS refuses to drive up my driveway to deliver a package, then leaves a postcard in my mail box telling me they attempted delivery.

        Heh, my mail carrier doesn't even bother to buzz my doorbell, about two feet away from the box. Yet he still says he takes the package with him. What is the point in that? What really annoys me is that my post office arranges their packages by day of arrival instead of address so there is always a huge line, then you get up there and they can't find the package.. th
      • by egburr (141740) on Wednesday July 02, 2003 @07:28PM (#6354384) Homepage
        Strange, my postman walks down my driveway to deliver packages that require a signature or are too large for the mailbox. My driveway is 200 feet long and the center is 15 feet lower than either end, so he literally does have to walk uphill both ways. Despite that, he is not out of breath (I usually am after walking it twice to haul the garbage to the curb) and has had a smile on his face every time.

        You might talk to your local postmaster and see if there is some reason he doesn't knock on the door.

  • I dunno, while this seems like a great idea on the surface, I am a little leery about going and getting "proofed" for this digital signature. Having not read the article, it seems like just one more database entry on me to be cross-referenced so that I can be "accurately" profiled by the government or whatever other really large entity decides they want to. I'll stick to my GPG signature, thanks. But then again, maybe my foil hat needs to be adjusted....
  • Who am I? (Score:3, Interesting)

    by fm6 (162816) on Wednesday July 02, 2003 @05:48PM (#6353548) Homepage Journal
    Funny, they don't seem to always know where to deliver so-called first-class mail ...
    I suppose that was meant humorously, but there's a serious point here. It doesn't matter whether the PDF (they better find some other initials) accurately describes the person it's issued to. You can take it for granted their will be a high fraud rate -- as there already is in the domain registry records.

    What's important is that the PDF is unique. Once it becomes clear that a PDF is associated with a spammer, the PDF will become useless, no matter who it claims to belong to.

  • by I Want GNU! (556631) on Wednesday July 02, 2003 @05:48PM (#6353549) Homepage
    This sounds potentially like a great method to prevent spam or at least to allow verified mail, but it still doesn't sound like a complete solution. One of the distinguishing characteristics of the Internet is that it allows people anonymity. If only emails with digital signatures are allowed then anonymous email won't get through. On the other hand, if verified email were possible, it would prevent false positives for spam and Bayesian filters could handle the rest of email. This way emails wouldn't be falsely designated as spam and everything would get through.
    • No postage due (Score:2, Interesting)

      by poptones (653660)
      I doubt this will become the way. To begin with it's US-centric and the internet definitely ain't. So is everyone in the world supposed to get a number?

      The other failing is it would be trivial to simply lie about the number - that is, if a number is required (just as an IP is now) then spammers will simply make one up. In order for a "valid" number to be required to traverse mail then every email would have to be authenticated through a central database. Thus, it's completely impractical as a means of redu

    • One of the distinguishing characteristics of the Internet is that it allows people anonymity.

      If a rape crisis center, whistle-blower journalist, police tip hotline, etc. wish to receive anonymous emails and phone calls, they are certainly welcome. People can still use public phone booths and unsigned/unsecured SMTP for this purpose. But (unless employed by one of the above) that doesn't mean I have to read the stuff also.

      For the rest of us, this registration system will be great, because spammers must no

  • Seriously. (Score:5, Funny)

    by American AC in Paris (230456) on Wednesday July 02, 2003 @05:48PM (#6353552) Homepage
    Funny, they don't seem to always know where to deliver so-called first-class mail ...

    I hear ya there.

    The USPS could learn a thing or two about accuracy and error-prevention from Slashdot.

    fnord

  • Certificates (Score:5, Interesting)

    by KeyserDK (301544) on Wednesday July 02, 2003 @05:48PM (#6353556) Homepage
    I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.

    Seems pretty secure to me.

    The only thing it works for so far is tax stuff, and mail.

    • Ofcourse i did not recieve it by email. It was 'delivered' via https
    • Re:Certificates (Score:3, Informative)

      I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.


      Seems pretty secure to me.


      That verifies your snail mail address, not your identity.

    • Huh. And to think all these years I've been eating totally unencrypted danishes.

      Got anything to help with my cleartext pop-tart situation?
  • Ramifications (Score:5, Insightful)

    by the_pointman (143482) on Wednesday July 02, 2003 @05:49PM (#6353569)
    The USPS' idea for certified proofing for digital signatures is in the right direction for securing financial transactions, helping to prevent spam (in the case of accepting emails only e-signed from registered people), but initiating such a project will bring the US closer to a National ID card.

    By attaching services such as online tax refunds or filings, the public will be /required/ to register with the USPS in order to take advantage of the online filings with the IRS. Sure, but what if people just file in paper? Without a doubt, the government will then ad a fee to paper filings to encourage taxpapers (everyone) to register with the USPS service.

    Let me see your papers, please!
    • The ramifications of an National ID card are that the benefits outweigh the downside. I get 6 credit reports a year (3 credit bureaus x 2 times a year) just to make sure that someone isn't opening up Visa cards in my name.

      Why do I have to do this? Because the world we live in currently uses my SSN, mothers maiden name, and a computer generated FICO score to determine whether to insure me and extend credit. When this "credit info" is wrong, and so far I've found literally constant errors. It takes 6 mon
      • because no one could fake a National ID card or biometric information.
        Or the fact the people who are perfectly legal and have no prior never commit crimes.

        Your frustration is with the credit companies who do operate there business in the best manner for there customer. Please remeber YOU are not there customer.

        The problem that arises from a National ID card is the it immediatly pouts you in a position to prove your innoncence. The nation ID cards time will not come until those laws are in place.

        When you
      • I agree with you in spirit, but I vehemently disagree about making this mandatory. Providing a reliable way to verify someone's ID outside the (god-damned) banking system is a great service - but I disagree that anyone should be compelled, simply because of their nationality, from signing onto such a service.

        If you want credit you accept that you have to share some amount of personal inormation with the banking authorities. This would provide an alternative means of identifying oneself without having to ta

  • Patriot Act Tie In (Score:3, Interesting)

    by Fred IV (587429) on Wednesday July 02, 2003 @05:50PM (#6353579)

    2.1 Eligibility For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Postal policy includes: 1. Use of a Patriot Act compliant database vetting process to gain initial assurance of an applicant's identity before sending the applicant to the Postal Office for IPP.

    Yay, more data to shove into the Patriot Act machine. What a bargin!

  • in bulgaria (Score:2, Informative)

    by darp (181922)
    I saw this in Bulgaria. Few online banking sites require use of digital certificates and username/password. You have to go in person to one of the bank branches before you can get a digital certificate. Once having the certificate one can do a lot of things that we can;t here in US - online transfers, forex, etc
    • we can;t here in US - online transfers, forex, etc

      I have several accounts with different banks here in the US. They all have online transfers.
  • by Anonymous Coward on Wednesday July 02, 2003 @05:51PM (#6353589)
    User enters post office. Waits 20 minutes in line. Gets to front of the line.

    Agent: (slowly) May I help you?
    User: I'd like to get a certified digital ID.
    Agent: (slowly) Okay, please go to the back of the room and fill out form 2219. When you're done, please bring it back to the front.
    User searches a while
    User: Where's the form?!
    Agent: (slowly) If it's not there, we're out. You can always call 1-800-ASK-USPS for more information.
    User: But they told me to come here! You have to verify my ID!
    Agent: (very slowly) I'm sorry, you'll have to speak to the manager. He's gone for the day. You'll have to come back Monday at 10 am.
    User: AAAAIIIEEEEEEE!!!!! runs screaming from the post office

    Yeah, this will be a big hit.

    • Harry Tuttle: Listen, this old system of yours could be on fire and I couldn't even turn on the kitchen tap without filling out a 27b/6... Bloody paperwork.
    • Um, in my experience (with massive mailings, ebay stuff in crazy packages, maintaining a PO box, and other X-treme Postal Services), it'd go more like this:

      Me: I'd like a digital ID.

      Them: Ok -- can I see your driver's license? Alright, good enough. Smile. *Click!* There you go, that'll be (insert some sum that is aproximately 50% of comparable service from anybody else). Would you like stamps with that?

      Me: God, no, this is awesome.

      You must be thinking of the Clerk's office, DMV or one of the copiou
  • by ccmay (116316) on Wednesday July 02, 2003 @05:52PM (#6353604)
    Like a PGP key-signing party -- remember those? -- but without the party, and only a surly union-slug postal clerk instead of dozens of new and interesting techie friends. Too bad it never really caught on except as a way to check your open-source downloads.

    I am concerned that what begins as a voluntary initiative will one day become quasi-mandatory, like carrying a driver's license.

    -ccm

    • could I sign my PGP public key with the USPS one, creating a chain of trust?

      That way I could continue to use the PGP/GPG tools and keys that I already have and add whatever level of trust available from the USPS.

  • by HarveyBirdman (627248) on Wednesday July 02, 2003 @05:52PM (#6353606) Journal
    The United States Postal Service has announced that it will provide In-Person Proofing

    I swear on my grandmother grave that I saw "In-Person Shooting" when I first read it.

    A few less FPS games for me, I think. More Super Mario Sunshine and Animal Crossing for a while.

    Well, I have a 5-day weekend ahead of me. You all play nice.

  • Uh-huh... (Score:2, Insightful)

    by Angry Pixie (673895)
    So the digital certificate could be used to validate the mail I sent really came from me? Oh, I'd just attach the certificate to the email? Oh, there's a central repository where all the email addresses I might use can be linked to the certificate? Oh, how lovely... and who would this repository be available to? Only the government? Oh grand. Sign me up!
    • Re:Uh-huh... (Score:3, Informative)

      by hbo (62590) *
      No, the certificate authority would sign your personal certificate, just like they do now. The USPS would have an arrangement whereby they would prove that you are who the certificate says you are through a visit to your local Post Office. The central certificate repository would be at the CA.

      The Big Brother aspect comes in the arrangement between the USPS and the CA. As noted above, the CA would be required to check your identity against a Patriot Act database before passing the request on to the Post Off
  • Yes! (Score:4, Funny)

    by fireboy1919 (257783) <rustyp AT freeshell DOT org> on Wednesday July 02, 2003 @05:52PM (#6353610) Homepage Journal
    This is just what I've been looking for!
    (start playing the sad story music, if you have any - Michael Jackson stuff will work real well here)
    You see, I've had sort of an identity crisis - not really sure who I am. The post office can finally change that. They can authenticate me, and authenticate who I am. No more wandering willy-nilly.

    (at this point please begin playing some patriotic music to get the full effect of the message)
    With the post office as my guide, I will rise to the brink of a better tomorrow and boldly go forth to face my dreams because I am authenticated!

    Thankyou, US post office. The world is in your debt.
  • by tx_kanuck (667833) on Wednesday July 02, 2003 @05:53PM (#6353612)
    1) How well will this work with other authtication techniques? (ie. if other postal systems start this, will there be interoperability? If so, who coordinates this?)

    2) How good is the procedure to replace a lost/stolen certificate?

    3) What good is this for people not in the US?

    4) If someone lives in the US, gets one of these, and then moves, can it still be updated/replaced?

    5) I forget the other question.

    Granted, I only skimmed the article, so I may have missed the answers, but still....
  • It depends - this offers a way to get common certification available (ala Paladium) using a government as the trusted body and not Microsoft. That's a step up, but still not perfect considering the ammount of fraud (welfare, SS etc) that people still seem to get away with on the gov'ts watch.

    If they combine it with a decent PGP style web-of-trust implimentation and let the user decide what weighting he wants to give to trusts he has assigned and those that the USPS has assigned then this could be a killer
    • unfortunatly, Certifications such as paladium only identify the computer, not the user.

      Of course Bill wants to tie smart card with paladium, which will make them seem more secure.
  • non-USA email (Score:3, Insightful)

    by innocent_white_lamb (151825) on Wednesday July 02, 2003 @05:59PM (#6353682)
    Not all email that doesn't originate in the USA is spam. Using this as a spam filter would balkanize Internet email and make it "domestic USA mail only" for US residents, and available internationally only for those who live elsewhere.
    • It also wouldn't stop spam. Spammers have no problem breaking into people's systems to send email. Digital certificates will not stop them.

  • After reading the article (hey! There's a first for everything!), it seems as though the USPS will only be providing official ID verification to 3rd-party CAs who will use it to determine whether they, not USPS, will issue the cert. In other words, the USPS will only be vouching for you to the CA - they won't be authenticating you to the public at large.

    Great. Just great. Now I get to deal with the Post Office and Verisign when I want to lock down an SSL site.

    Please shoot me.

    • the USPS will only be vouching for you to the CA - they won't be authenticating you to the public at large.

      It looks like that, but because the database must be "Patriot Act compliant" , it will be like the government owns the data anyway. This way they get all the information and get to subsidise their favorite "top quality private sector business".

    • The USPS has its own CA which is used to issue the personal digital certificates. If you have a relatively new browser, their CA's certificate is probably in your certificate store, so you can check it out for yourself.

  • I hate X.509 (Score:4, Insightful)

    by Sloppy (14984) * on Wednesday July 02, 2003 @06:06PM (#6353733) Homepage Journal
    Forget this X.509 crap, I want postmaster@usps.gov to sign my PGP key!

    I hate X.509. It's cumbersome and weird (that extra 'cert request' step), while also being functionally lame (only one signature, and you have to either completely trust it or not). Why anyone would want to use that when there's something so much better available (OpenPGP), is beyond me.

  • Australia Post (Score:2, Interesting)

    by Anonymous Coward
    Australia Post was looking at providing this service for it's "Gatekeeper" x.509 platform. It is also known as "RA" (registry Authority), and considering that Australia Post is already the "RA" for our passport applications - they would probably be the best suited too.

    I don't think that X.509 has been "widely accepted by the community" yet... so I can't find any more details about it..
    • Re:Australia Post (Score:3, Interesting)

      by ZenJabba1 (472792)
      Australia Post actually did issue X509 certificates, I still have the floppy disk. I think in the end they issues around 500 certificates because nobody was using them as nobody had the hardware needed to support the backend processing (AP wanted dedicated links in the backend servers to the ROOT cert).

      It eventually failed and has never been heard from again. I do remember them sending me a email telling me it was going to be dismantled and I had 12 months more use of my certificate for free.

      They also use
  • the definition for having people appear before issuing a cert has been around as long as there's been 3rd party CA's. However, a practical application to make it explode hasn't (most consumers still don't have a compelling reason to get any personal cert, except for the one they get in a smartcard). Frankly, there wasn't any reason for a consumer to get one because there was no compelling benefit

    I would hazard to guess that the majority of consumer-level encrypted e-mail relies on PGP, not 3rd party-ca

  • Just what we've all been waiting for, our government approved identity mark. [uspto.gov]
    Tell us, will we be tattoed with it, and if so, will it be on the forehead or the right hand??

    (http://patft.uspto.gov/netacgi/nph-Parser?Sect1 =P TO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.ht m&r=1&f=G&l=50&s1=5,878,155.WKU.&OS=PN/5,878,155&R S=PN/5,878,155)

    If you don't believe it, go to the United States Patent Office website and search for APPROVED patent number 5,878,155
    and or thi
    • so, the patent is aproved? in all likley hood, Heeter; Thomas W. (55 Lyerly, Houston, TX 77022) is just some guy with a good sense of humor. If I had thought about it, I would of applied, it pretty damn funny. Besides, if the devil is comeing to town, why not make a buck?

      or perhaps he aplied for the patent to PREVENT it from happening?

      As long as we have seporation of church and state, and freedomn of religeon, the mark of the beast will not come to pass.

      now, if only it had someting to do with the origina
  • Red Alert! (Score:4, Interesting)

    by twitter (104583) on Wednesday July 02, 2003 @06:31PM (#6353920) Homepage Journal
    A number of top quality private sector business have masterd the technology around the use of secure digital signatures...

    Market droid talk. If they are so good why does the post office need to get into it? Other talk about "demand", "unique service opportunity" and trusted computing has my back up. It's all so Microsoft sounding. But that's just the beginning.

    They are going to use "comercial database checking", and the databases must be "Patriot Act Compliant". While the commmercial database check looks like coroprate welfare, it the Patriot act part looks like a land grab. What, besides any old G-man clerk having the athority to look at all of your data, constitues Patriot Act Complience?

    The authentication method is first class mail. and a file that dissapears in four years. I'm not going to think very hard about all the ways to defruad the post and defeat this system, but mail fraud is still a common problem. The dissapering file is the real clincher. What "top quality private sector bussines" has a patent on DRM OS and has been touting files that expire as a means to "trusted computing"?

    Having a certificate athority is good. Using that need as a means to nationalize software, usurp private databases, funnel tax money into private hands and foce everyone to use propriatory software is not good. The system needs to be run on proven free and open standards in a non-revocable manner.

    The USPO is going to have to do better than that to win my trust. I've got one Microsoft machine for talking to an old camera and a scanner. I don't let it see the internet because it's so easy to break and own. Any plan that would force me to use software I don't trust for ecommerce is a plan I don't trust or want.

    Two years ago, some moron told me that the US government would make it illegal to run anything but Microsoft software. He actually thought this was a good idea and was convinced it would happen. I told him that would violate the first amendment rights to free speech, and effectivly nationalize general purpose computing and such laws were laughably unAmerican. I'm not laughing anymore.

    Someone tell me I'm just paranoid, please.

    • Well, since you asked so nicely: You're just paranoid.

      Yours truly,
      B. Gates.
    • If they are so good why does the post office need to get into it?

      Because there is one within a few miles of everyone in the US? What, would you rather trust the zit-faced idiot at the 7-11 had "verified" the identity of those your correspond with?

  • Seriously, I'm guessing a whole crowd of black hats read that story and went "Hurray!".
  • by shiflett (151538) on Wednesday July 02, 2003 @06:33PM (#6353931) Homepage

    I was actually one of the developers of this project (three years ago), and it is funny to see that they are finally "announcing" it.

    The idea is simple, and it is actually a useful service that the USPS has the resources to provide, if they actually go through with it. Whereas SSL only authenticates the server (among other things, of course), the allocations for client authentication in SSL are optional and very rarely used. All the client needs for this is its own digital certificate, just like the server has its certificate.

    So, to get an SSL certificate, we (whether we like it or not) trust the various CAs to make certain that they are granted to the rightful owners. When it comes to client certificates, the scope of the problem becomes much larger, because you are authenticating people rather than domains. If you fail to properly identify someone before issuing the digital certificate, the point is lost.

    The USPS has post offices all over the US (their only country of concern in this case), and this fact provides the perfect platform for authenticating people. Just as with Passports, you must prove your identity in person before being authenticated.

    How do the pieces fit together? Well, it is fairly simple, but it involves a lot of existing systems, some of which are aging. You register online (providing much personal information, including what forms of ID you will be bringing with you). This generates a letter that is sent to your address (verifying your address in the process). You take this letter to the post office, and if you pass the in-person proofing, the clerk scans the barcode on the letter. This scan makes its way back to the system in about 24 hours, and then your digital certificate is generated. An email is sent to let you know, and you can then download it from the Web site after logging in.

    At any rate, I still think the general idea is a good one, and this would be a useful service for a lot of people. I hope it is successful.

  • by EvilStein (414640) <spam@pbp . n et> on Wednesday July 02, 2003 @06:33PM (#6353934) Homepage
    "Funny, they don't seem to always know where to deliver so-called first-class mail ..."

    No, not very funny. Rather clueless. Did you know that the USPS has domestic airlines carrying mail?
    I can't even count the times I've found stray (or lost) bags of mail in aircraft. One of my many job functions when I worked for a ground handling company was to make sure that mail for Anchorage actually got *on the right aircraft* and didn't wind up on a flight to Miami. We'd actually check behind the belly toolbox on that old nasty DC-8 looking for mail bags.
    Ever seen a 55' truck back up to a DC-6? Yes, folks. Bulk loading 33,000lbs of mail into a friggin DC-6 bound for northern Alaska.

    Sure, mail gets lost sometimes, but it's not always the fault of the USPS.

  • Digital Signature!
    Post office gets it to me
    How soon it must die.

  • by geekoid (135745) <dadinportlandNO@SPAMyahoo.com> on Wednesday July 02, 2003 @06:47PM (#6354055) Homepage Journal
    that slashdot would slam the USPS for its incredibly rare mistakes?

    If the people who ran /. ran the postoffice, my mail would only get handled correctly about 4 out of 10 times. the good noes is, I would regularly get the same package twice.

  • by shri (17709) <shriramc@nOSPam.gmail.com> on Wednesday July 02, 2003 @07:45PM (#6354513) Homepage
    http://www.smartid.gov.hk/en/index.html

    and so does Hong Kong Post.

    http://www.hongkongpost.gov.hk/product/ecert/typ e/ smartid/index.html
  • by option8 (16509) on Wednesday July 02, 2003 @08:33PM (#6354769) Homepage
    the last (several) times i have moved, I've gone down to the post office, picked up an official postal change of address form, filled it out and mailed it back in.

    as far as i can tell (and the USPS may have updated their policy since the last time i moved) there's no ID, or any kind of proof of identity for that matter, involved in filling out a change of address form. that, and no confirmation after the fact that it had been accepted and processed - other than your mail showing up at the new address with a big yellow sticker over the address. i.e. nothing to prevent someone filling out a form for somebody else

    in fact, i read several years ago in a book of "dirty tricks and practical jokes" that a fun little prank to pull on someone you don't like was to fill out a change of address form for them - forwarding their mail to an address in another state. another fun one was to send a threatening letter to 1600 pennsylvania ave with their return address. postal inspectors *and* secret service when the prez is in town. fun for the whole family!

    now, tell me they've updated this procedure - which used to be done with a simple mail-in form - or else tell me how i'm supposed to trust this same organization as an authority regarding someone's identity.
  • by QuietRiot (16908) <cyrus@80[ ]rg ['d.o' in gap]> on Wednesday July 02, 2003 @09:07PM (#6354977) Homepage Journal
    I'm curious when we may have access to a government approved digital time-stamping service?

    Ever like to prove to somebody that a document existed at a certain date? "Mail it to yourself. It's got the postmark."

    Well, besides the fact that this ploy would never stand up in court (it's too easy to steam the flap open), it's a good idea.

    How about the USPS providing a digital document time-stamping service? What good time-stamps are availible out there that would stand a test at the patent office, for example???
  • by John Jorsett (171560) on Wednesday July 02, 2003 @09:15PM (#6355023)
    If we can't screen out millions of illegal aliens who manage to come to the U.S. and present documents that are good enough to let them satisfy the government's requirements to prove to an employer that they are eligible to work in the U.S., how is this going to be better? If the answer is "better documents," how come we aren't requiring those better documents to be presented to the employers?
  • Questions (Score:3, Insightful)

    by MagPulse (316) on Wednesday July 02, 2003 @09:58PM (#6355222)
    After reading the article (quickly) I still have some questions:

    1) What kind of certificate is being given? X.509?

    2) What private information is kept by the user to be used to encrypt or sign data? In PGP you have a key that's usually thousands of bits long. I just read that X.509 certificates only use a password. If this is true, wouldn't it be a lot easier to crack? For example, by encrypting data with tiny passwords until a browser or e-mail program accepts it?

    3) How is the private info given to the user? If it's in person when the user signs up, then it has to be randomly generated since no one at the office should see it. If it's sent in the e-mail notice for downloading the certificate, that can't be secure can it? So it must be given at sign-up in a sealed envelope right?
  • Hong Kong has it (Score:4, Informative)

    by lamj (153635) <`jasonlam' `at' `flashmail.com'> on Wednesday July 02, 2003 @10:19PM (#6355314)
    Hong Kong Post office is teaming up with the government to offer the same thing, this has been available for over a year now. Refer to this link [hongkongpost.gov.hk].

    The Hong Kong Government has recently roll out a renew plan for all citizens to renew their ID card (mandatory, must be on the person at all times). This new ID card is a smart card which also allow storage of digital cert.

    Because of this mandatory ID, the cert roll out plan (storage and distribution) is relatively easier than other countries.
  • by ReadParse (38517) <(john) (at) (funnycow.com)> on Thursday July 03, 2003 @02:39AM (#6356392) Homepage
    I didn't have to look far to see the usual "postal service sucks" stuff. Heck, even the poster (as opposed to the submitter) couldn't resist offering a little jab.

    These people obviously don't know what it's like outside the United States. yes, I live in the US and I was born here, but I have been around enough to know that the US is where I belong. And the USPS is a great example of why it's so great to live in America. As big as the country is, 2-3 days is usually enough to get mail from anywhere to anwhere (Continental US, of course). I mail things with absolutely no fear of anything getting lost, and I have never known of any situation where something was legitimately lost in the mail.

    It's always been an excuse, and a useful one for certain people, since it's impossible to disprove (can't that a letter than can't be found and that wasn't tracked was ever sent). Anyway, I'm sure some people have had trouble with the postal service, and we've all had run-ins with specific postal workers who don't care about their jobs (just like at McDonald's and Kmart and every government office).

    The only negative experience I ever had with the actual service was a long time ago... like 15 years or so. A letter had been accidentally "mutilated" on the way to my mailbox. That was their word, not mine. It had obviously gotten caught in some sort of machine and it was useable and readable. But it came sealed in a special plastic covering with an amazingly-apologetic statement, just going on and on about how much of a disappointment and an inconvenience they had been to me. I couldn't believe it.

    Ok, I'm done ranting. Continue slamming the postal service all you want. Oh, and by the way, I think this is a good idea. This is an organization that has a high degree of trust and is available for everybody in the US to easily to the in-person visit. Brilliant.

    RP

If I have seen farther than others, it is because I was standing on the shoulders of giants. -- Isaac Newton

Working...