USPS To Provide Personal Identity Certification

Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...

Deutsche Post did that

[sebmol]

Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication. Last time I heard about it, it was being scrapped due to a lack of demand.

Re:Deutsche Post did that

[BlueWonder]

Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication.

Maybe I misunderstand the Federal Register text, but I think the USPS doesn't intend to act as a CA itself, but to verify the identity of people for other CAs. The closest Deutsche Post equivalent to that would be PostIdent.

Re:Deutsche Post did that

It's called "PostIdent". Direct banks use it to authenticate customers, for example. Here is more information about this service (in English).

Re:Deutsche Post did that

[sebmol]

PostIdent looks like it's supposed to allow identification of the recipient of regular mail. This is not the same as digital signatures where I can sign a document digitally, e-mail it to somebody else, and that other person can verify that it was indeed me who signed it. Deutsche Post used to provide a part of the infra structure for that.

Re:Deutsche Post did that

[shokk]

Big whoop. You can do that by looking up people near you in Thawte's Web of Trust and getting identified enough times. I got my cert and then enough signatures in one evening at a local UG meeting to get my name on my cert. Get 100 points and then you too can certify others. And no one needs to pay taxes to support Thawte's free certs.

Re:Deutsche Post did that

[Skjellifetti]

Thawte wants to have my Social Security Number, address, shoe size, and employer name in order to enroll. Thawte does claim that they will never, ever divulge this info to anyone. But I've never met a CEO with that kind of data who wasn't eventually tempted into selling it. Screw 'em. The Post Office might be a much better scheme if I only have to show up at a Post Office in person and show them my ID (drivers lic, passport, etc) without having to divulge this info to the CA.

Re:Deutsche Post did that

The critical part is in-person authentication. On top of that, anyone can build a public key infrastructure. The USPS is going to provide an equivalent to PostIdent to third party certificate authorities.

Re:Deutsche Post did that

[mitchkeller]

Don't know if you're trying to claim that US tax dollars go towards the USPS, but they've been a self-sufficient entity for some time now. They're essentially run like a private business, but with all the bureaucracy of the government. The worst thing that could happen here is that the cost of sending a letter goes up, and we're getting by so cheap as it is in that regard that I can't complain unless they do something like raise the cost to an amount other than $0.40.

Re:Deutsche Post did that

[shokk]

Thawte will take your SSN *OR* a driver's license number. Since you have no problem showing that to a complete stranger at the post office, you should have no problem showing it to Thawte. I sure as hell wasn't going to give them my SSN. I don't recall ever telling them who I worked for. It's a private cert and has nothing to do with who I work for, though I have used the account to get certs for my workplace email and other unrelated personal accounts.

Re:Deutsche Post did that

[shokk]

Right, because the government won't bail them out if they suddenly find that they have to raise the price an objectionable amount. You yourself just said that you would find anything over $0.40 objectionable which is not that far off. What happens when some other flakes decide to spread anthrax and the post office decides it should now cost $1.40 to mail things so that it can all be more secure? Just like what the airlines fell into after 9/11. Welcome to tax subsidized service, now with 50% less service. Flying these days is like visiting the DMV!

Seriously, is there anything circulated by standard bulk mail these days that cannot now be done through email where it can be distributed much more cheaply and can be discarded more easily? How much of our infrastructure is dedicated to paying for automobiles and their gasoline for sending around flyers about new mortgage rates, pre-approved credit cards, and a sale down the street, the very things we are up in arms about in SPAM? I know not everyone has a computer or can afford good Internet service, but what I would give to get my bills and maagzines on time (see Zinio.com for online magazine distribution where I have received my Eweek mags). I already pay bills online, why not do everything else that way? Paper is so 2002.

The Post Office? Seriously?

[Just+Some+Guy]

Of course, your certificate will be snailed to you on the back of a postcard. 10% of them will be lost. Complaints will be handled by people too slow to work at the Department of Motor Vehicles. And although they'll only cost $0.37 to start, their price growth will outstrip inflation. When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

Other than that, I'm sure it'll be great. When will my local branch (literally in a small town in Nebraska) have their PKI training day?

Sounds like...

[Klev]

Sounds like an opourtunity to charge us. This seems a lot like the door opening for the postal service's charging to send emails. Why else would they be offering to develop this amazing technology? To make our lives better?

Re:Sounds like...

[t0ny]

The post office proposed offering email as a provided service long ago. But your complain has little merit, because many spam-stopping plans already propose adding a "cost" to email, even if it is a nominal fee such as $.01/message. A corportation would shrug at having to pay $8/day for email, but would a bulk mailer sending millions of messages per hour?

The problem with people complaining about paying is that, for things that are worthwhile, its not about the money. Eventually you will have to pay for something, you are better off spending money on what you want, as opposed to getting what you dont want for free.

Re:Sounds like...

[Klev]

Nono, you misunderstand me. I understand your point, I am merely saying that if each of us has a digital id tagging the email mesages and whatnot, they can install little USPS scanners on the main routers of the internet and send information on whos been emailing to their headquarters. Then they would send us a monthly tax or however they would impliment it, but it could be done.

Re:Sounds like...

[t0ny]

Honestly, if it can prevent me from having to get 150 junk mail messages per day to my email account, Im for it. What do I care if some goober in the post office can look up that I sent an email to my mother?

Re:Sounds like...

No, they're going to be charging you to verify emails (or whatever).

The business model is basically using the current retail channel that makes it "easy" for consumers to get a Certificate, and then charging vendors to actually validate those Certificates.

They're trying to become a new kind of MS Passport service.

If it takes off with any popularity, and somebody like eBay offers "free" validation during registration, then sellers will start requiring it from domestic buyers.

Re:Sounds like...

[Klev]

How would they control messages from other countries? They would just be collecting money from us and eliminating 'legitimate spam' (if there is such a thing) in the states. Perhaps Canada and a few other countries if they signed on with their postal services...but what about countries that dont? A tax is a tax.

Re:Sounds like...

[GigsVT]

nominal fee such as $.01/message. A corportation would shrug at having to pay $8/day for email,

That's only 800 emails a day. Our company of 150 produces that much per day, at least. $2000 per year for a company that only has revenue around the low 8 digit range, it's not something they would "shrug" at, especially since it would offer no benefits.

This is just like gun control anyway, it would only hurt the law-abiding. Only the non-spammers would follow the rules and pay the fees, the spammers would just crack into other people's systems, and run up huge email bills sending their spam.

Is this the start of it?

[Blaine+Hilton]

Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery? Not that I'm "totally" against such a system, but it seems like they are misrepresenting the true nature of this.

Re:Is this the start of it?

Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery?

Look, anything that can possibly improve the situation that someone picking up my social security number and date of birth and a few other simple facts about me can end up stealing my identity is a good thing. We're increasingly reliant on computers and digital information yet we have no decent national digital signature infrastructure in place. It is a very sad state of affairs when my mother's maiden name can still be expected to be used as some kind of secure authenticator to protect my bank account information.

Re:Is this the start of it?

[BrookHarty]

And the database is Patriot Act complaint too!

1. Use of a Patriot Act compliant
database vetting process to gain initial
assurance of an applicant's identity
before sending the applicant to the
Postal Office for IPP.

Re:Is this the start of it?

[Sloppy]

anything that can possibly improve the situation that someone picking up my social security number and date of birth and a few other simple facts about me can end up stealing my identity is a good thing.

No, anything that does that, is not necessarily a good thing. Entrenching something stupid, to the detriment of vastly superior technology that has been around and proven for more than a decade, is a bad thing. And using the government to do that is even worse, because too many people trust government, so it will be further legitimized from the mainstream's point of view.

It is a very sad state of affairs when my mother's maiden name can still be expected to be used as some kind of secure authenticator to protect my bank account information.

It is a sad state of affairs when a signing key at some gigantic central authority needs to be used so often, that thousands of government employees will have access to it for a variety of purposes. And not only will any one of them be able to fake identities, but also, when that key is compromised, it will be impractical to revoke it because it's used for so much, so there will be a coverup or people will just not care or understand and have a false sense of security.

It is a better state of affairs, if you can go to your bank to exchange keys once, and then only a smaller number of insiders will have access to that signing key, so the cert will have more meaning. (Buzzword: "compartmentalization".)

And it's an even better state of affairs when your toolset encourages you to have one public key that lots of different parties can certify, so other people won't have to just take one party's absolute word for it, whether the key is really yours or not.

(Ok, bias alert: yeah, I posted something with "I hate x.509" as the subject. ;-)

Re:Is this the start of it?

[Guppy06]

You see, unlike certain private businesses, the USPS takes your privacy a little more seriously, if for no other reason than because they're required to by federal law. When you give them information, being that they are an arm of the federal government (more or less), there is a notice they are required to show you that explicitly spells out what they can and cannot do with your information, who they can and cannot give it to, and under what circumstances.

eBay will give out sellers' information to whomever, whenever. To find out who owns a PO box generally requires a subpoena.

But tell me...

[mhore]

what good is a digital signature verified by the Post Office if you are unable to.......... speak?

Mike.

Amazing what the USPS does do with mail.

[DaRat]

Just a comment about the "Funny, they don't seem to always know where to deliver so-called first-class mail ..." remark.

Have I had mail lost? Yes. Is it annoying? Yes.

But, think about how amazing it is about what the USPS does right. It moves billions of pieces of mail every day, and almost all of it (percentage wise) gets to where it should be going in spite of the fact that not every piece of mail can be automatically routed and multiple people end up looking at it at one point or another. And, in spite of the price increases, I can still send a letter anywhere in the US for 37c and it'll usually get there within a 2-3 days.

Sure, dealling with the post office is a pain occasionally, and they do lose some mail. But, when I think about the scope and scale of what they do right, it does boggle my mind.

Re:Amazing what the USPS does do with mail.

How do you know if you have had lost mail. It never got to you.

Re:Amazing what the USPS does do with mail.

[jdcook]

Mod parent up. I love how /. editors make fun of the post office for an almost imperceptible error rate in billions of pieces of mail but cannot even post a hundred stories in a row (I'm guessing) without a dupe or other obvious error.

Re:Amazing what the USPS does do with mail.

Reminds me of of one time I tried to change my address using one of those forms in the post office. I tried to hand it to them at the counter and they just told me to drop it in the mail. I did and several days later I received half of it back (the part with my old address on it) with a note attached to it apoligizing for mangling it and being unable to deliver it.

It started at the post office, its final destination was the post office but somehow it still got mangled in transit.

They did however have to have a person physically handle it to find the address to return it to, it was way too mangled to be read by a machine. I guess thats a plus

Re:Amazing what the USPS does do with mail.

[El]

Actually, USPS refuses to drive up my driveway to deliver a package, then leaves a postcard in my mail box telling me they attempted delivery. Of course, when I take that postcard down to the post office, they tell me they can't let me have my package because the carrier is still driving around with it... look, if you're not going to bother even checking to see if I'm home, why not just leave the damn package at the post office?

Re:Amazing what the USPS does do with mail.

Anyone who complains about the USPS delivery process has never tried to get a dial tone from GTE/Verizon/Whoever they are.

I only wish my local telco were anywhere near as reliable as the post office!

Re:Amazing what the USPS does do with mail.

[zenyu]

Actually, USPS refuses to drive up my driveway to deliver a package, then leaves a postcard in my mail box telling me they attempted delivery.

Heh, my mail carrier doesn't even bother to buzz my doorbell, about two feet away from the box. Yet he still says he takes the package with him. What is the point in that? What really annoys me is that my post office arranges their packages by day of arrival instead of address so there is always a huge line, then you get up there and they can't find the package.. this is especially true if it is something small like certified letter. I have a sneaking suspicion they don't separate these and just pile hundreds of packages on top of letters.

The upshot is I meet a lot of my neighbors, for better or worse, and we trade snail-mail horror stories. Two women told me about a sting operation her family ran that had one person standing by the mailbox, one at the post office, another chasing the delivery van.. and finally a last person conveying messages between them. They managed to get the package in just one day of work. It really was on the van despite stringent denials by the mail carrier, but the post office kept saying things like "oh, the package just went out to the van," "oh, I just left it back at the post office," "we just sent someone out to deliver it, you better hurry home so you don't miss the delivery!" This didn't happen to me, but with my experiences I do believe it. When I get a package notice at home half the time I just ask who ever made the mistake sending it there to send it to my work or to my local package service, when it eventualy gets returned.

Re:Amazing what the USPS does do with mail.

[egburr]

Strange, my postman walks down my driveway to deliver packages that require a signature or are too large for the mailbox. My driveway is 200 feet long and the center is 15 feet lower than either end, so he literally does have to walk uphill both ways. Despite that, he is not out of breath (I usually am after walking it twice to haul the garbage to the curb) and has had a smile on his face every time.

You might talk to your local postmaster and see if there is some reason he doesn't knock on the door.

Re:Amazing what the USPS does do with mail.

[K8Fan]

I agree. The USPS is a favorite whipping boy of a lot of people, but the service I've received from them is has been a lot better than UPS, and one hell of a lot cheaper than FedEx. At the main Chicago Post Office, where I have a P.O. Box (because my apartment building used to have someone who stole packages), every employee I've delt with has been courteous and professional.

Re:Amazing what the USPS does do with mail.

[madcow_ucsb]

better than UPS. they're more than willing to pick up packages, but have an alarming tendency to hold them hostage. They only seem inclined to attempt delivery between 9-5 (in my area, anyway) on weekdays, when I'm at work. So it gets stored at their warehouse, which is open 7 days a week to ACCEPT packages, but, naturally, is only opened M-F 9-5 to pick them up. So it's impossible to pick one up without taking time off work.

I don't know how on earth they manage to stay in business, combined with their HORRBLE customer service. I've long since given up using them and in any orders I make I instruct the vendor to ship to me via any method available EXCEPT UPS. The extra $5 to get it via FedEx or something is cheaper than taking time off work to get my package.

I don't think there's any company on earth worse than UPS, except possibly U-Haul (my its executives die horrible deaths and burn in hell for all eternity), but that's worthy of a rant of its own.

Re:Amazing what the USPS does do with mail.

[Uncle+Gropey]

As a mail carrier myself, I can tell you that if your carrier isn't going to your door with parcels then he/she isn't doing what they are supposed to do, and you should call in and complain to a supervisor, or even the postmaster themself if you live in a smaller community. In my office, I hear about every single complaint any of my customers have called in, so it does keep me trying not to make anyone mad.

Re:Amazing what the USPS does do with mail.

[Walt+Dismal]

Well, I live in Silicon Valley and am totally unamazed. They certainly can't get their act together. After 9/11 and the anthrax letters, most magazines I subscribe to began arriving two weeks late if at all, and now 1/3 never arrive, especially the scientific journals. In trying to resolve this I get caught between local PO and the SF PO, with both sides denying responsibility and no one resolving delivery problems. On the other hand, ALL junk mail arrives promptly and undamaged. I look forward to the day when the PO goes away, replaced entirely by electronic means.

Re:Amazing what the USPS does do with mail.

[mbstone]

All the delivery services (UPS, Fedex) do this. It's called ring-and-run. Probably they time these guys with stopwatches and if they actually wait for someone to answer the door they lose points.

Re:Amazing what the USPS does do with mail.

[LauraScudder]

What I'm really impressed with is the German post. When I order something from amazon.de, I get it in usually 1, maybe 2 days. My prof's mail corrected work back sometimes, and it gets there the next day. Where I live in the US at least, the minimum is 2 days to get a letter - from anywhere. Next day on a standard letter astounds me.

Re:Amazing what the USPS does do with mail.

[randmairs]

And not only that, they can decypher my mother's handwriting!!!

Re:Amazing what the USPS does do with mail.

[bill_mcgonigle]

USPS refuses to drive up my driveway to deliver a package

If they actually come to your home/mailbox consider yourself lucky. My post office won't even drive up our road because it's not densely poplulated 'enough' for them (20 homes on a 1.5 mile road). We have to go a mile to the bottom of the road to get our mail, either a long walk or a car ride. For packages, we get a card in the box if the package doesn't fit in the box. Our post office is 10 miles away. Fortunately, they've been convinced to leave packages at the post office that's 4 miles away (on the way to our post office), but serves a different ZIP code for folks in our area of town.

UPS will at least drop packages at the house (no crime, so no signature - sometimes they'll leave it in an empty car if it looks like rain).

Article text

35922 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 /
Notices
Dated: June 12, 2003.
D.L. Gamberoni,
Technical Coordinator, Office of the Secretary.
[FR Doc. 03-15347 Filed 6-13-03; 11:53 am]
BILLING CODE 7590-01-M
POSTAL SERVICE
In-Person Proofing at Post Offices
(IPP) Program
AGENCY: U.S. Postal Service. ACTION: Notice.
SUMMARY: The USPS is announcing the availability of an In-Person Proofing at Post Offices (IPP) Program to support the activities of U.S. Certificate Authorities and government organizations.
EFFECTIVE DATE: June 9, 2003.
FOR FURTHER INFORMATION CONTACT: Chuck Chamberlain at 703-292-4172, or Brad Reck at 703-292-3530
SUPPLEMENTARY INFORMATION: In recent years, a number of new federal statutes have sought to preserve the ability of the public and private sectors to use the efficiency of the internet to rapidly exchange time sensitive communications while assuring that people receiving and sending messages are in fact who they say they are. A number of top quality private sector businesses have mastered the technology around the use of secure digital signatures, yielding a greater demand for improved identity verification for individuals seeking to use digital signatures.
This need for improved ''online identity'' creates a unique service opportunity for the Postal Service to provide value to the public, leverage our retail network and enable internet communications to enjoy a new level of security and reliability. Numerous organizations have approached the U.S. Postal Service to conduct In-Person Proofing (IPP) of customers nationwide for physically authenticating an individual's identification at a post office before the organization issues a digital signature certificate to the individual.
IPP supports efficient, affordable, trusted communications through the use of identification verification at Post Offices, incorporation of process enhancements required by the Postal Service, active management of the IPP program by the USPS, and use of a First Class U.S. Mail piece to verify physical addresses of applicants. We believe that IPP conducted at local post offices will create a new broad based capability for the Nation that promotes improved public trust and greater efficiency in the electronic delivery of a wide range of services. These efforts support achieving the goals of the Government Paperwork Elimination Act of 1998, Electronic Signature in Global and National Commerce Act of 2000, Health Insurance Portability and Accountability Act of 1996, Sarbanes- Oxley Act of 2002, and Gramm-Leach- Bliley Act of 1999 and numerous Presidential Directives on eGovernment. The following is a brief description of how IPP would work. An organization can establish a relationship with a qualified U.S. Certificate Authority to integrate digital signing with improved identity verification into an online application. Any individual desiring to use digital certificates that include USPS IPP will complete an application online. The online system will verify the individual's identity via commercial data base checking. The system will then produce a standard Postal Service form to be printed out at the ''applicant's'' personal computer. The individual requesting the service will present this form to a participating post office where the ''In Person Proofing'' process is conducted. After successful completion of the IPP event, the CA will notify the applicant to download their digital certificate. For clarity, the steps in the IPP process are outlined below.
1.0 DESCRIPTION
1.1 Purpose
IPP is a postal program to improve the public key infrastructure of the Nation. The public key infrastructure has emerged as an accepted infrastructure component for protecting and facilitating the electronic communications of the Nation.
2.0 BASIC STANDARDS
2.1 Eligibility
For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Po

Re:Article text

(a) When a bid is clearly established as the first made at a particular price, the maker shall be entitled to priority and shall have precedence over [on] CmdrTaco's cock inserted in Timothy's rectum.

Hmm, I didn't know that the post office wrote gay sex stories about /. editors into their announcements.

Re:The Post Office? Seriously?

When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

They'd already sort of be competing with Verisign and other certificate authorities that use various ways to verify your identity. I don't know what is worse, dealing with Verisign or dealing with the USPS.

good idea? Maybe....

[deque_alpha]

I dunno, while this seems like a great idea on the surface, I am a little leery about going and getting "proofed" for this digital signature. Having not read the article, it seems like just one more database entry on me to be cross-referenced so that I can be "accurately" profiled by the government or whatever other really large entity decides they want to. I'll stick to my GPG signature, thanks. But then again, maybe my foil hat needs to be adjusted....

Who am I?

[fm6]

Funny, they don't seem to always know where to deliver so-called first-class mail ...

I suppose that was meant humorously, but there's a serious point here. It doesn't matter whether the PDF (they better find some other initials) accurately describes the person it's issued to. You can take it for granted their will be a high fraud rate -- as there already is in the domain registry records.

What's important is that the PDF is unique. Once it becomes clear that a PDF is associated with a spammer, the PDF will become useless, no matter who it claims to belong to.

Re:Who am I?

[jhunsake]

PDF is the file format of the document linked, you moron.

Re:Who am I?

[AceCaseOR]

Um... just so you know, PDF is referring to the document that's being linked to (as it's a PDF document). From the sounds of things, the acronym for this new service would be either IPP (In Person Proofing) or PIC (Personal Identity Certification).

Re:Who am I?

The PDF was the format of the document, not an abbreviation for the name of the system.

Re:Who am I?

[fm6]

Duhhhhhhhhhhhh!

Re:Who am I?

[foniksonik]

PDF doesn't refer to the ID it refers to the document being linked to.... doh! Go check and see... the link goes to a PDF.

Re:Who am I?

[Wesley+Felter]

You can take it for granted there will be a high fraud rate -- as there already is in the domain registry records.

I wouldn't automatically assume this. All you need to register a domain is an email address and $8, while this new process requires you to appear in person with multiple forms of ID.

Re:Who am I?

[fm6]

-1 Redundant!!!!

Re:Who am I?

[kimota]

> It doesn't matter whether the PDF (they better find some other initials) accurately describes the person it's issued to.

I think they should stick with the thing's actual name, In-Person Proofing. IPP. I mean, what problem could anyone have with that?

-Kimota!

email anonymity and spam

[I+Want+GNU!]

This sounds potentially like a great method to prevent spam or at least to allow verified mail, but it still doesn't sound like a complete solution. One of the distinguishing characteristics of the Internet is that it allows people anonymity. If only emails with digital signatures are allowed then anonymous email won't get through. On the other hand, if verified email were possible, it would prevent false positives for spam and Bayesian filters could handle the rest of email. This way emails wouldn't be falsely designated as spam and everything would get through.

Re:email anonymity and spam

[k12linux]

If only emails with digital signatures are allowed then anonymous email won't get through.

A bunch of non-anonymous (there HAS to be a better real word for that) e-mail wouldn't get through either. I suspect that filtering out messages without certs will fail. This is primarily because, like me, most people won't bother to go and get a cert. There are too many people (again like me) who will have an "if they won't except unsigned e-mail, I will deal with another company" attitude.

Also, unless it's brain-dead simple, most of today's Internet users won't have a clue how to install or use their new certificate with their mail prog of choice anyhow.

Maybe this isn't being done for the obvious reasons. Seems to me that this might be the first step towards Internet voting for government elections. Or maybe I'm wrong and the USPS just sees it as another revenue stream.

Re:email anonymity and spam

[thrillseeker]

I suspect that filtering out messages without certs will fail. This is primarily because, like me, most people won't bother to go and get a cert.

They will when all their correspondents start bouncing their non-certed mail.

Re:email anonymity and spam

[firewood]

One of the distinguishing characteristics of the Internet is that it allows people anonymity.

If a rape crisis center, whistle-blower journalist, police tip hotline, etc. wish to receive anonymous emails and phone calls, they are certainly welcome. People can still use public phone booths and unsigned/unsecured SMTP for this purpose. But (unless employed by one of the above) that doesn't mean I have to read the stuff also.

For the rest of us, this registration system will be great, because spammers must now have a verified mailing address which the postal inspector (or "cousin" Guido ) can visit.

Re:email anonymity and spam

[GlassHeart]

If only emails with digital signatures are allowed then anonymous email won't get through.

In a free country, you have to right to speak anonymously without fear of persecution. However, you do not have the right to be heard, anonymously or otherwise. It's entirely my right to ignore anybody I want.

Re:email anonymity and spam

[HeyLaughingBoy]

Ditto to that. I already don't pay much attention to email that doesn't come from an address my filters allow in. In the last month, I have received an estimated 600+ emails at home. Approximately 3 of those that didn't get past the filter (filters out 90% of email) were legitimately for me and even then, it was stuff that wasn't all that important e.g., I forgot to add the monthly SIGARCH messages from ACM to the filter.

I'd use something like this in a heartbeat. I receive about 25 spams per day at work as it is (yeah, I count those emails from Rational as spam since their opt-out address has never worked and I think Rose is crap).

Re:email anonymity and spam

[k12linux]

They will when all their correspondents start bouncing their non-certed mail.

There is a catch-22 here though. Most businesses won't turn away potential customers just because they don't have a cert. They'll want to wait until nearly everyone has gotten their certs before blocking. And without widespread adoption of blocking of non-certed mail, the insentive to get a cert isn't very strong.

So most businesses will wait until nearly everyone has a cert and most individuals will wait until a majority of businesses block their e-mail before getting one... especially if they have to physically go down to the post office and pay for one.

Re:email anonymity and spam

[willtsmith]

For certain types of transactions, authentication is absoluetly necessary in order to maker sure your not being scammed. This is true on the client side as well. If you get a message from your "financial institution" you want a way of verifying that it's really the person at the bank who sent the message.

I think this would take off RIGHT-AWAY. Why, well there's always snail-mail to fall back on if your client doesn't wish to use signed e-mail. In any case, a trip to the post office isn't really a big obstacle since EVERYBODY has one. It's not like Verisign or others where dealing with a web-site ONLY can be a bit confusing, daunting, or intimidating.

Re:email anonymity and spam

[k12linux]

In any case, a trip to the post office isn't really a big obstacle since EVERYBODY has one.

I'm sure that a company's foreign (non U.S.) customers will disagree. From what I understand U.S. Post Offices are only in... the U.S.

Also, do you really think Ma & Pa Average will a) Understand the need. b) Make the trip to the post office. c) Install and d) Use the cert? I just don't see it. At least not until they HAVE to because they can no longer send e-mail. Many non-techies are completely lost when the icon for their mail program moves to a different place on the desktop. The whole "cert thing" isn't going to be a comfortable concept for them.

I'm not saying that a lot of people won't get certs. I'm sure tons of people who consider themselves "techies" will and a bunch who are extremely concerned with security will too. I just don't believe that a critical mass of the general population will get one. By "critical mass" I mean a large enough percentage that the average business will decide to start blocking non-certed mail. Too many average e-mail users are simply too apathetic to the whole issue to go get a cert without being forced.

If you get a message from your "financial institution" you want a way of verifying that it's really the person at the bank who sent the message.

Unless it was encrypted I'd be mighty ticked off at my bank for sending confidential financial info via e-mail. I didn't see anything in the PDF that seemed to indicate that public-key encryption would be enabled by this.

Seriously.

[American+AC+in+Paris]

Funny, they don't seem to always know where to deliver so-called first-class mail ...

I hear ya there.

The USPS could learn a thing or two about accuracy and error-prevention from Slashdot.

fnord

Re:Seriously.

[leviramsey]

If Slashdot ran the post office, you'd receive four copies of the same letter or package, often on the same day.

Re:Seriously.

[Anonymous+Cow+herd]

If Slashdot ran the post office, you'd receive four copies of the same [...] package, often on the same day.

Sweet, where do I sign up? Time to order some memory through SlashMail :-)

Re:Seriously.

[DMDx86]

If Slashdot ran the post office, you'd receive four copies of the same letter or package, often on the same day.

Not only that, Michael would open your mail, insert spelling mistakes, and write [ed. note - no it isn't] by stuff in your letters

Re:Seriously.

[DMDx86]

hell with that.. I'm calling up Dell and ordering me a nice Xeon system... I'll have my Beowulf cluster in no time!

Re:Seriously.

BURN!!!!!

Nice one.

Re:Seriously.

[Guppy06]

"The USPS could learn a thing or two about accuracy and error-prevention from Slashdot."

Damn straight! I keep on getting the same letter over and over again!

Re:Seriously.

[gav1n]

or make a copy of it and mail it to you again in a month...

YOU FAIL IT!

[ed. note: no it isn't]

Certificates

[KeyserDK]

I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.

Seems pretty secure to me.

The only thing it works for so far is tax stuff, and mail.

Re:Certificates

[KeyserDK]

Ofcourse i did not recieve it by email. It was 'delivered' via https

Re:Certificates

[NearlyHeadless]

I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.

Seems pretty secure to me.

That verifies your snail mail address, not your identity.

Re:Certificates

Yes, but if we could cryptographically verify all snailmail addresses, we could reform the postal protocol to eliminate junk mail.

Re:Certificates

[dasmegabyte]

Huh. And to think all these years I've been eating totally unencrypted danishes.

Got anything to help with my cleartext pop-tart situation?

Re:Certificates

[tkittel]

IIRC you can also use it to log on to the student
allowance system (SU).

+ they are trying to eliminate tons of snail mail by having banks etc. sending their normal snail mail through the system to you.

I think it has all been implemented, but people still need to learn to use it.

Re:Certificates

[SunPin]

That was funny. Much appreciated.

Re:Certificates

[shokk]

So what you're saying is someone breaking into your home, stealing the snail mail card, and then ordering over the web on your computer using your credit cards can be verified as being yourself? Seems pretty secure to me.

Ramifications

[the_pointman]

The USPS' idea for certified proofing for digital signatures is in the right direction for securing financial transactions, helping to prevent spam (in the case of accepting emails only e-signed from registered people), but initiating such a project will bring the US closer to a National ID card.

By attaching services such as online tax refunds or filings, the public will be /required/ to register with the USPS in order to take advantage of the online filings with the IRS. Sure, but what if people just file in paper? Without a doubt, the government will then ad a fee to paper filings to encourage taxpapers (everyone) to register with the USPS service.

Let me see your papers, please!

Re:Ramifications

You already have a national ID card - your SSN card.

Re:Ramifications

[NuttyBee]

The ramifications of an National ID card are that the benefits outweigh the downside. I get 6 credit reports a year (3 credit bureaus x 2 times a year) just to make sure that someone isn't opening up Visa cards in my name.

Why do I have to do this? Because the world we live in currently uses my SSN, mothers maiden name, and a computer generated FICO score to determine whether to insure me and extend credit. When this "credit info" is wrong, and so far I've found literally constant errors. It takes 6 months to resolve them.

And anyone can get credit info fairly easily. We absolutely need to implement a national ID system as a way of combatting identity theft and forgery. My SSN and Mothers Maiden Name is not a good security system.

Additionally, flagging everyone named "David Nelson" at the airport because the name is on a no fly list is equally ridiculous. Figure out which David Nelson is your problem and let the other 500 people with the same name go about their business.

The time has come for a National ID card and biometric identifiers for all. I'd rather hold the government responsible for verifying my identity than say Experian or Equifax who can't even figure out which credit cards I have but won't hesistate to generate an inaccurate score based on their wrong information.

Re:Ramifications

[geekoid]

because no one could fake a National ID card or biometric information.
Or the fact the people who are perfectly legal and have no prior never commit crimes.

Your frustration is with the credit companies who do operate there business in the best manner for there customer. Please remeber YOU are not there customer.

The problem that arises from a National ID card is the it immediatly pouts you in a position to prove your innoncence. The nation ID cards time will not come until those laws are in place.

When you have a system like National ID card, people start to assume that they will be correct, and not frauded. This mean when "David Nelson - 23243564" is reported as commiting a crime, it will be assumed you did commit that crime. To prove you didn't do something is a tough spot to be in. In the 1700 the british prison were full to bursting with people that could prove there innocents.

Re:Ramifications

[willtsmith]

I actually believe that USPS is missing out on a great business and also a great way to help secure financial transactions. Email addresses change far too often do to people moving, switching services, and companies buying each other out.

The USPS would be the PERFECT agency to provide email P.O. Boxes. Basically, they would forward your mail to your provider (for an annual fee). This would fit in perfectly with providing authentication codes etc...

Since EVERYBODY has a USPS, it would be easy to set up in person and pay for with cash.

Regarding the "national id" card. We already have one, it's called a Social Security card. It's not it's intended use, but it's effectively become the lingua franca for identifying yourself in credit and large financial transactions.

I personally would welcome an National Authenticated "SMART CARD". These would be the unbreakable variety with strong internal encryption.

The photo itself would be duplicated and digitally signed in memory. Readers could pull up the picture so that forgers couldn't use the old "cut & paste" method of modifying the picture. Actually, the phsyical picture could be done in hologram to make it even harder to break.

As I said in another message, indexing databases by social security number should be ILLEGAL. Instead, companies could generate hashed indexes numbers based on operating a company Fed ID# and your Pers ID#. You would NEVER give your own ID# out.

The Feds would hold all the master keys so that they could do security work and cross-reference databases. Corporations, by contrast would not be able to do industrial scale personal data mining because DBs from different companies (especially financials) wouldn't have unique numbers for individuals that would travel with them as they changed addresses, etc...

Re:Ramifications

[willtsmith]

When you have a system like National ID card, people start to assume that they will be correct, and not frauded. This mean when "David Nelson - 23243564" is reported as commiting a crime, it will be assumed you did commit that crime.

The police ALWAYS assume they are correct irregardless of whatever backwater, nonsense, methodologies they may be using. Beyond that, we still live in the US and despite the efforts of John Ashcroft, we are all still INNOCENT until proven guilty in a court of law.

If there is a VERY strong method of authentication, this does make it harder to imply that something was faked (like a credit card, which is notoriously easy). In 99% of cases, this will make things better for everybody involved. In the other 1% of cases where your ID is STOLEN, or someone tricked/bribed the system to generate a fradulent ID, there will be issues. However, these issues are no different than those associated with traditional identification techniques.

The strength and integrity of the ID will be judged by the strength and integrity of the authenticating body. Transparancy of process will help. Generating logs for any and ALL transactions within ID generating systems will create data trails that can be used to track down patterns of fraud an unauthorized data tampering.

I personally believe that we ALL have a right to privacy. However, I do not think that we all have a right to anamonimity. People with nothing to hide proudly proclaim their identity. Thieves and scammers and other law breakers sulk in the shadows and are afraid to have their real identities known.

great!

[Fux+the+Pengiun]

This sounds like a wonderful idea! It's about time the USPS got with the times. For too long they've been afraid of digital technology. Remember when they tried to put a tax on faxes in the 80's because they thought everybody was going to use those insteading of sending letters? It's that kind of short-sightedness that hurts the postal service's quality image as a whole.

The only thing that worries me is the oversight on this by Donald Rumfields. The USPS is actually a division of the US Department of Defense...kind of like how the Treasury department oversees the secret service. Does this mean, then, that the Bush administration would get to decide who does and doesn't get digital certificates? Also, what about big business interests? Bill Gates gives an awful lot of money to Bush, so what if he decided no Linux users could get these certs?

What are your thoughts, guys?

Cheers, FtP

Re:great!

[Ever+Dubious]

Actually a division of the US DOD? Bullshit. From the USPS web site:

United States Postal Service

The Post Office Department was transformed into the United States Postal Service, an independent establishment of the executive branch of the Government of the United States. The mission of the Postal Service remained the same, as stated in Title 39 of the U.S. Code: "The Postal Service shall have as its basic function the obligation to provide postal services to bind the Nation together through the personal, educational, literary, and business correspondence of the people. It shall provide prompt, reliable, and efficient services to patrons in all areas and shall render postal services to all communities."

The new Postal Service officially began operations on July 1, 1971. At that time, the Postmaster General left the Cabinet, and the Postal Service received:

* Operational authority vested in a Board of Governors and Postal Service executive management, rather than in Congress.
* Authority to issue public bonds to finance postal buildings and mechanization.
* Direct collective bargaining between representatives of management and the unions.
* A new rate-setting procedure, built around an independent Postal Rate Commission.

Title 39, the Postal Reorganization Act, also vested direction of the powers of the Postal Service in an 11-member Board of Governors. Nine members (the Governors) are appointed by the President, by and with the advice and consent of the Senate. They serve staggered nine-year terms, and no more than five Governors may belong to the same political party. Governors are chosen to represent the public interest generally, may not represent specific interests using the Postal Service, and may be removed only for cause.

Re:great!

[jhunsake]

This is Slashdot, where we make up our facts (referring to the grandparent, of course).

Re:great!

[tinutuva]

The USPS is not a division of the DOD. It's set up as a quasi-governmental organization which is wholly owned by... itself. It was completely seperated from the Executive Branch of government in the early 70s when the cabinet position was abolished. It doesn't answer to any cabinet member or appointed official or any federal department, bureau or agency. It has a Board of Governors that are like a Board of Directors and they elect the Postmaster General (CEO). The USPS is not allowed to get tax money to subsidize its operations, all expenses must be met by revenue. In this way it is mandated by Law to function as most corporations except it is not allowed to make a profit.
I'm sure you see the obvious flaw, MANDATED BY LAW means the PMG answers to Congress: it's as if THEY are the stockholders (you can watch the Senate hearings on the USPS on CNN for a good laugh!) except their interest is not for a sound corporation but their own political gain. They pass ridiculous legislation based on what their buddies or special-interest groups or big campaign contributors want.
The real danger then, is not the DOD or any Presidential appointee, but the political machinations of Capitol Hill. You've seen the Patriot Act, designed to crush liberty and eliminate the protections of the US Constitution in the name "protecting us from terrorism". What if they decide to pass a Law requiring the USPS to turn over this list to "safeguard national security"?

Patriot Act Tie In

[Fred+IV]

2.1 Eligibility For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Postal policy includes: 1. Use of a Patriot Act compliant database vetting process to gain initial assurance of an applicant's identity before sending the applicant to the Postal Office for IPP.

Yay, more data to shove into the Patriot Act machine. What a bargin!

Re:Patriot Act Tie In

[billstewart]

Yeah, fsck that noise. Plus they want you to re-enlist\\\\\\re-register every 4 years, presumably so that they can provide the next President's administration with whatever outrageous data _they_ want.

Home Security?

[Yxes]

I wonder what impact this will have our "Home Security" initivates. Will they make it mandatory that we turn in our a digitial signature and identify oursevles? America seems to be drawing nearer and nearer to a police state and I wonder what impact something of this nature will produce in the long run.

Re:Home Security?

[willtsmith]

The only thing that positive ID does is turn the US into a "small town".

By this I mean that everybody in a small town knows one another and can positively ID each other. Does this mean that small towns are effectively Police States???????

Privacy and ananominity are two separate issues. You can be anonymous, yet your appearance and behavior can get you noticed, that will affect your privacy. People with nothing to hide are NOT afraid of positive ID.

Positive ID does NOT imply that information on your COMPLETE existence is available on demand. Like a small town, who you are and some relevant details are all common knowledge. But your neighbor certainly doesn't have access to your bank info. In fact, your bank info is MORE secure because all the teller's know who you are and would immediately recognize an impersonator.

Likewise with proof positive secure identification, you gain the SAME security. As it is now, our financial credit system is a mess because anyone with some fairly trivial knowledge can impersonate you.

So effectively, positive ID makes us all more like a "small town". Whats wrong with that????

in bulgaria

[darp]

I saw this in Bulgaria. Few online banking sites require use of digital certificates and username/password. You have to go in person to one of the bank branches before you can get a digital certificate. Once having the certificate one can do a lot of things that we can;t here in US - online transfers, forex, etc

Re:in bulgaria

[jhunsake]

we can;t here in US - online transfers, forex, etc

I have several accounts with different banks here in the US. They all have online transfers.

Re:in bulgaria

[darp]

Can you set up a monthly transfer to a bank in Mexico? I bet that you can't. At least WellsFargo and CitiBank can't

Re:in bulgaria

[jhunsake]

I can on one or two of them. I think that you can't is partially a function of going with a bigger bank. Try a medium sized credit union or bank or even a small bank that you know has internet access.

USPS User Experience

User enters post office. Waits 20 minutes in line. Gets to front of the line.

Agent: (slowly) May I help you?
User: I'd like to get a certified digital ID.
Agent: (slowly) Okay, please go to the back of the room and fill out form 2219. When you're done, please bring it back to the front.
User searches a while
User: Where's the form?!
Agent: (slowly) If it's not there, we're out. You can always call 1-800-ASK-USPS for more information.
User: But they told me to come here! You have to verify my ID!
Agent: (very slowly) I'm sorry, you'll have to speak to the manager. He's gone for the day. You'll have to come back Monday at 10 am.
User: AAAAIIIEEEEEEE!!!!! runs screaming from the post office

Yeah, this will be a big hit.

Re:USPS User Experience

[RatBastard]

Harry Tuttle: Listen, this old system of yours could be on fire and I couldn't even turn on the kitchen tap without filling out a 27b/6... Bloody paperwork.

Re:USPS User Experience

[dasmegabyte]

Um, in my experience (with massive mailings, ebay stuff in crazy packages, maintaining a PO box, and other X-treme Postal Services), it'd go more like this:

Me: I'd like a digital ID.

Them: Ok -- can I see your driver's license? Alright, good enough. Smile. *Click!* There you go, that'll be (insert some sum that is aproximately 50% of comparable service from anybody else). Would you like stamps with that?

Me: God, no, this is awesome.

You must be thinking of the Clerk's office, DMV or one of the copious other shitty State agencies that make me glad the Republicans never got around to giving power back to the states this time around...

Re:The Post Office? Seriously?

[Just+Some+Guy]

Definitely Verisign. The USPS doesn't think it's funny when they accidentally release your property to someone else (see also: sex.com). In fact, rumor has it that having the Postal Inspectors storm your house is not as funny as it sounds (i.e., 30 guys in attack armor carrying assault rifles vs. 5 guys like Cliff from "Cheers").

pdf -- txt

[CowBovNeal]

35922 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 / Notices
Dated: June 12, 2003.
D. L. Gamberoni,
Technical Coordinator, Office of the Secretary.

[FR Doc. 03Ð 15347 Filed 6Ð 13Ð 03; 11: 53 am]
BILLING CODE 7590 01 M

POSTAL SERVICE
In-Person Proofing at Post Offices (IPP) Program

AGENCY: U. S. Postal Service.
ACTION: Notice.

SUMMARY: The USPS is announcing the
availability of an In-Person Proofing at Post Offices (IPP) Program to support
the activities of U. S. Certificate Authorities and government
organizations.
EFFECTIVE DATE: June 9, 2003.
FOR FURTHER INFORMATION CONTACT:
Chuck Chamberlain at 703Ð 292Ð 4172, or Brad Reck at 703Ð 292Ð 3530

SUPPLEMENTARY INFORMATION: In recent years, a number of new federal statutes have sought to preserve the ability of the public and private sectors to use the efficiency of the internet to rapidly exchange time sensitive communications while assuring that
people receiving and sending messages are in fact who they say they are. A
number of top quality private sector businesses have mastered the
technology around the use of secure digital signatures, yielding a greater
demand for improved identity verification for individuals seeking to
use digital signatures. This need for improved '' online
identity'' creates a unique service opportunity for the Postal Service to
provide value to the public, leverage our retail network and enable internet
communications to enjoy a new level of security and reliability. Numerous
organizations have approached the U. S. Postal Service to conduct In-Person
Proofing (IPP) of customers nationwide for physically authenticating an
individual's identification at a post office before the organization issues a
digital signature certificate to the individual.
IPP supports efficient, affordable, trusted communications through the use
of identification verification at Post Offices, incorporation of process
enhancements required by the Postal Service, active management of the IPP
program by the USPS, and use of a First Class U. S. Mail piece to verify physical
addresses of applicants. We believe that IPP conducted at local post offices will
create a new broad based capability for the Nation that promotes improved public trust and greater efficiency in the
electronic delivery of a wide range of services. These efforts support achieving
the goals of the Government Paperwork Elimination Act of 1998, Electronic
Signature in Global and National Commerce Act of 2000, Health
Insurance Portability and Accountability Act of 1996, Sarbanes-Oxley
Act of 2002, and Gramm-Leach-Bliley Act of 1999 and numerous
Presidential Directives on eGovernment. The following is a brief description of
how IPP would work. An organization can establish a relationship with a
qualified U. S. Certificate Authority to integrate digital signing with improved
identity verification into an online application. Any individual desiring to
use digital certificates that include USPS IPP will complete an application
online. The online system will verify the individual's identity via commercial
data base checking. The system will then produce a standard Postal Service
form to be printed out at the '' applicant's'' personal computer. The
individual requesting the service will present this form to a participating post
office where the '' In Person Proofing'' process is conducted. After successful
completion of the IPP event, the CA will notify the applicant to download their
digital certificate. For clarity, the steps in the IPP process are outlined below.

1.0 DESCRIPTION
1.1 Purpose
IPP is a postal program to improve the public key infrastructure of the Nation.

The public key infrastructure has emerged as an accepted infrastructure
component for protecting and facilitating the electronic
communications of the Nation.
2.0 BASIC STANDARDS
2.1 Eligib

Like a PGP key signing party--

[ccmay]

Like a PGP key-signing party -- remember those? -- but without the party, and only a surly union-slug postal clerk instead of dozens of new and interesting techie friends. Too bad it never really caught on except as a way to check your open-source downloads.

I am concerned that what begins as a voluntary initiative will one day become quasi-mandatory, like carrying a driver's license.

-ccm

Re:Like a PGP key signing party--

[crisco]

could I sign my PGP public key with the USPS one, creating a chain of trust?

That way I could continue to use the PGP/GPG tools and keys that I already have and add whatever level of trust available from the USPS.

I need a vacation... Oh! I'm starting one! :-)

[HarveyBirdman]

The United States Postal Service has announced that it will provide In-Person Proofing

I swear on my grandmother grave that I saw "In-Person Shooting" when I first read it.

A few less FPS games for me, I think. More Super Mario Sunshine and Animal Crossing for a while.

Well, I have a 5-day weekend ahead of me. You all play nice.

Uh-huh...

[Angry+Pixie]

So the digital certificate could be used to validate the mail I sent really came from me? Oh, I'd just attach the certificate to the email? Oh, there's a central repository where all the email addresses I might use can be linked to the certificate? Oh, how lovely... and who would this repository be available to? Only the government? Oh grand. Sign me up!

Re:Uh-huh...

[hbo]

No, the certificate authority would sign your personal certificate, just like they do now. The USPS would have an arrangement whereby they would prove that you are who the certificate says you are through a visit to your local Post Office. The central certificate repository would be at the CA.

The Big Brother aspect comes in the arrangement between the USPS and the CA. As noted above, the CA would be required to check your identity against a Patriot Act database before passing the request on to the Post Office. Reading between the lines, it would seem that information collected from you in your CSR might end up refreshing the data in the Patriot Act database. Combine that with the requirement that certificates expire after four years, and you have a mechanism to keep that national database current. All of this is good IT/database practice. But in the hands of the Government, it raises concerns.

Yes!

[fireboy1919]

This is just what I've been looking for!
(start playing the sad story music, if you have any - Michael Jackson stuff will work real well here)
You see, I've had sort of an identity crisis - not really sure who I am. The post office can finally change that. They can authenticate me, and authenticate who I am. No more wandering willy-nilly.

(at this point please begin playing some patriotic music to get the full effect of the message)
With the post office as my guide, I will rise to the brink of a better tomorrow and boldly go forth to face my dreams because I am authenticated!

Thankyou, US post office. The world is in your debt.

couple of concerns...

[tx_kanuck]

1) How well will this work with other authtication techniques? (ie. if other postal systems start this, will there be interoperability? If so, who coordinates this?)

2) How good is the procedure to replace a lost/stolen certificate?

3) What good is this for people not in the US?

4) If someone lives in the US, gets one of these, and then moves, can it still be updated/replaced?

5) I forget the other question.

Granted, I only skimmed the article, so I may have missed the answers, but still....

Re:couple of concerns...

Granted, I only skimmed the article, so I may have missed the answers, but still....

Try skimming harder the next time. The USPS isn't providing certificates, just verifying identities in person for commercial certificate authorities (Verisign, Thawte).

Re:couple of concerns...

[hackstraw]

5) How will a cert get revoked?

This is a big problem with PKI. Remember when some developers posed as Microsoft developers and wrote some signed/trusted java codes?

The only way for this to work would be to verify every email. I don't think this is possible.

Re:What about the blind?

I know a guy who doesn't have X on his Debian machine, so he views all PDFs in console with some sort of PDF-to-Latin1 program. I bet blind people could use the same program.

Comment removed

[account_deleted]

Comment removed based on user account deletion

A good thing?

[Realistic_Dragon]

It depends - this offers a way to get common certification available (ala Paladium) using a government as the trusted body and not Microsoft. That's a step up, but still not perfect considering the ammount of fraud (welfare, SS etc) that people still seem to get away with on the gov'ts watch.

If they combine it with a decent PGP style web-of-trust implimentation and let the user decide what weighting he wants to give to trusts he has assigned and those that the USPS has assigned then this could be a killer digital signature implimentation.

Re:A good thing?

[geekoid]

unfortunatly, Certifications such as paladium only identify the computer, not the user.

Of course Bill wants to tie smart card with paladium, which will make them seem more secure.

Postal Workers

[jmorse]

All postal workers will be required to purchase one of the digital signature keys, allowing to verify their identity before reporting for work or going on a shooting rampage.

Re:Postal Workers

[Sloppy]

"Sorry, this AK47 is not registered to this user. Please call the Kalashnikov Corporation customer service hotline at 1-800-COMMUNISM and have a credit card ready..."

Am I missing something?

[packethead]

Please tell me if I pulled a Rip Van Winkle here. But, when did the the USPS start controlling e-mail? Maybe I'm in the middle of some bizzar Owellian nightmare. Next thing you're going to tell me is that we've become a police state and a new Dept of the goverenment has been established to "watch" us.

Sheesh!

Hmmm, maybe they'd be able to find my house...

[shepd]

...and do it on time next time if I had a certificate. Then again, I don't know if I'd really want to give useless parcel service my name and number for a permanent database.

non-USA email

[innocent_white_lamb]

Not all email that doesn't originate in the USA is spam. Using this as a spam filter would balkanize Internet email and make it "domestic USA mail only" for US residents, and available internationally only for those who live elsewhere.

Re:non-USA email

[moncyb]

It also wouldn't stop spam. Spammers have no problem breaking into people's systems to send email. Digital certificates will not stop them.

Re:non-USA email

[willtsmith]

Yes but ALL email originating from NIGERIA IS SPAM!!!!!!! ;-)

Argh...

[shepd]

Where's delete comment when you need it?

Must read titles more closely next time... Sorry.

Trust

[m_niessner]

I can't trust that they can send a package without damagin/losing it. And now, I'm gonna trust them to properly identify people?

But the USPS won't issue the certs, correct?

[Just+Some+Guy]

After reading the article (hey! There's a first for everything!), it seems as though the USPS will only be providing official ID verification to 3rd-party CAs who will use it to determine whether they, not USPS, will issue the cert. In other words, the USPS will only be vouching for you to the CA - they won't be authenticating you to the public at large.

Great. Just great. Now I get to deal with the Post Office and Verisign when I want to lock down an SSL site.

Please shoot me.

Re:But the USPS won't issue the certs, correct?

[shiflett]

The USPS has its own CA which is used to issue the personal digital certificates. If you have a relatively new browser, their CA's certificate is probably in your certificate store, so you can check it out for yourself.

Look into the Euro PKI project

[hansreiser]

They got funded to develop a PKI infrastructure with real verification of identity for the EU.

Re:Look into the Euro PKI project

[dossen]

Does this project have some sort of web-presence? Google returns a lot of pages for the term, but none of the highranked ones look right.

I hate X.509

[Sloppy]

Forget this X.509 crap, I want postmaster@usps.gov to sign my PGP key!

I hate X.509. It's cumbersome and weird (that extra 'cert request' step), while also being functionally lame (only one signature, and you have to either completely trust it or not). Why anyone would want to use that when there's something so much better available (OpenPGP), is beyond me.

Re:I hate X.509

[SuperQ]

I agree, x.509 keys are anoying.. having the USPS sign my PGP key would be damn cool..

although USPS would quickly become the center node of the PGP keyring stats.

an article on PGP vs. x.509
http://world.std.com/~cme/html/web.html

Open source version

GNU/Zentalon GNU/writes GNU/"The GNU/United GNU/States GNU/Postal GNU/Service GNU/has GNU/announced GNU/that GNU/it GNU/will GNU/provide GNU/In-Person GNU/Proofing GNU/(pdf) GNU/to GNU/physically GNU/authenticate GNU/individuals GNU/before GNU/a GNU/digital GNU/signature GNU/certificate GNU/is GNU/issued GNU/to GNU/that GNU/person. GNU/This GNU/has GNU/a GNU/bunch GNU/of GNU/interesting GNU/ramifications; GNU/for GNU/instance, GNU/I GNU/could GNU/create GNU/a GNU/simple GNU/spam GNU/filter GNU/that GNU/only GNU/accepts GNU/mail GNU/from GNU/individuals GNU/and GNU/organizations GNU/that GNU/have GNU/an GNU/authenticated GNU/certificate. GNU/It GNU/could GNU/also GNU/allow GNU/for GNU/more GNU/secure GNU/financial GNU/transactions. GNU/Anyone GNU/know GNU/if GNU/any GNU/other GNU/national GNU/postal GNU/services GNU/are GNU/planning GNU/the GNU/same GNU/thing?" GNU/Funny, GNU/they GNU/don't GNU/seem GNU/to GNU/always GNU/know GNU/where GNU/to GNU/deliver GNU/so-called GNU/first-class GNU/mail...

No postage due

[poptones]

I doubt this will become the way. To begin with it's US-centric and the internet definitely ain't. So is everyone in the world supposed to get a number?

The other failing is it would be trivial to simply lie about the number - that is, if a number is required (just as an IP is now) then spammers will simply make one up. In order for a "valid" number to be required to traverse mail then every email would have to be authenticated through a central database. Thus, it's completely impractical as a means of reducing spam anywhere except the end user's mailbox. And we already have plenty of ways of doing that.

It IS useful, however, if you and I want to enter into a transaction without having to use the banking system. You send me merchandise, I send you cash - and if either of us defaults there is a reliable means of tracking the individual and holding them responsible. It's almost like a nationwide ebay ID in that "bad traders" can be reliably tracked and, therefore, blacklisted. On THAT level it's quite practical and, from the POV of one who refuses to use plastic, a welcome alternative.

Re:No postage due

If your cert has been signed by a CA, all I need to verify it is a copy of that CA's public signing key (usually in a self-signed cert). That takes just one request (plus one extra each time the signing key expires, which is probably quarterly or annually) for an unlimited number of messages.

Postal employees better than you think

[SuperBanana]

Complaints will be handled by people too slow to work at the Department of Motor Vehicles.

I repeat the following story every time I hear someone insult a postal worker.

One day I needed to get something in the mail THAT day, and I wasn't able to get down to the post office. I caught the mailman as he was driving up to the mailbox, and handed him the letter. Except I didn't have enough postage- I had forgotten about the rate increase that had happened recently.

Now, if the guy had wanted to be an asshole, he could have refused it- but he said "you got any change? I'll put the extra postage on it when I get in" I had a quarter on me, gave it to him, and was happy that I had probably still spent less money than the gas it would have taken to get to the post office and back.

What bowled me over was that the next day, he parked, came to the door, and handed me change. I was blown away that he bothered for such a small amount, and had expected him to (rightfully, far as I was concerned) pocket the 15-20 cents for the trouble of having to 'buy' and slap on an extra stamp for me.

NOW, if you want to see how patient postal employees are, see what these guys did. It is incredibly funny(the part about the sender trying to argue they should get money BACK for shipping a balloon is hilarious), but there's a serious message in their absurd little experiment(which involved shipping bricks, hammers, dead fish+seaweed, etc), and I'll include their conclusion here:

First, this experiment yielded a 64% delivery rate (18/28), an almost two-thirds success rate. (For our purposes, "delivery" constituted some type of independent handling by the USPS and subsequent contact regarding the object, regardless of whether we got to see or keep the object or whether it arrived whole.) This is astounding, considering the nature of some of the items sent. This compares with a 0% rate of receipt of fully wrapped packages from certain countries of the developing world, such as Peru, Turkey, and Egypt. Admittedly, those were international mailings, and thus not totally comparable; nevertheless, the disparity is striking.

Second, the delivery involved the collusion of sequences of postal workers, not simply lone operatives. The USPS appears to have some collective sense of humor, and might in fact here be displaying the rudiments of organic bureaucratic intelligence.

Finally, our investigation team felt remorse for some of its experimental efforts, most particularly the category "Disgusting," after the good faith of the USPS in its delivery efforts. We sought out as many of the USPS employees who had (involuntarily) been involved in the experiment as we could identify, and gave them each a small box of chocolate.

We, and all scientists, owe a debt of gratitude to these civil servants. Without them, we would have had but little success in pushing the envelope.

Re:Postal employees better than you think

[Just+Some+Guy]

I repeat the following story every time I hear someone insult a postal worker.

That's a good story. I like the mailman that comes to my house; he's a nice guy, and I imagine he'd probably do the same thing for me. In fact, the whole post office in my small town is staffed by genuinely nice, friendly people and I feel kind of guilty about lumping them in with my other generalities.

However, I've also been into post offices where I really wished I was armed to protect myself from both the patrons and the staffers. Unfortunately, those are the experiences that tend to resonate with the population.

Re:Postal employees better than you think

[Xolotl]

Other odd items which I have seen or know at first hand as having been sent throught the British Royal Mail - a postcard scratched onto a piece of slate, sent by a field trip back to the Sedgwick Museum of Geology in Cambridge [received, and now used as a slate sample in teaching students, still with stamp and message], a jelly in an envelope [received in a plastic bag with an apology for its somewhat squashed state] and a biscuit, unwrapped with stamp directly attached [received, IRC also in plastic]. Somebody should write a book on odd things sent through the post, it would be a great read.

I was also particularly impressed when my mother received a letter from abroad with just her name and the town as the address; the town is a suburb of London and must number several tens of thousands of inhabitants at the very least.

Re:Postal employees better than you think

[sjb21043]

Ya know, I also think it's pretty silly when people complain about the Post Office - especially when they complain about prices.

Think about it. For less than 50 cents, they'll come to your house, pick up a letter, and deliver it to any address in the country. You don't have to go to them to send or receive. Compare that to a restaurant charging a $5 delivery fee to go a half a mile. Seems like a pretty good deal, to me.

Re:Postal employees better than you think

I absolutely agree with you.

After all, the higher demoniation currency sealed in clear plastic get delivered faster. And sneakers taped together get their laces tied extra tight. I won't even get into the logic about the "human remains" ...

Re:Postal employees better than you think

[Qzukk]

The mailman who comes by the office I work at is a great guy, we all hang out and shoot the breeze every now and then when he delivers mail (not too often, we started getting complaints from the people on the upper floors that the mail was getting late.) We discuss computers, grouse about our vacation time, or lack of it(he gets Friday off for 4th of July. Then he goes back to work for the 5th.) and whatever else comes up.

I wonder if theres a way to nominate him for some kind of "cool postman" award.

Re:Postal employees better than you think

[shokk]

It probably cost $0.50 tax money for him to give you your change for $0.25. Thanks for wasting everyone else's money.

Re:Postal employees better than you think

[HeghmoH]

When I was a kid in the 80s, it was hip to make fun of the Post Office. And rightfully so: they were slow and unreliable. The jokes grew up from real experiences.

But now, the USPS will take your money with a smile, and lie to you about the delivery date. The bastards deliver your packages early almost every single time, blasting packages halfway across the country in two days for less than a dollar, or blasting them halfway across the planet in less than a week still for a very reasonable sum.

The USPS has changed from competition from the likes of FedEx and UPS, and they are now very, very good at what they do.

Re:Postal employees better than you think

[kst]

Cool, a gruntled postal worker.

Re:Postal employees better than you think

[willtsmith]

Does the phrase "FOLLOW INSTRUCTIONS" mean anything to you????

Why should everybody else in line have to wait for your "special attention" because you refused to read.

I would suggest filling out all your forms on the benches BEFORE sending you package.

Re:Postal employees better than you think

[MxTxL]

My family and i used to live overseas as employees of Uncle Sam. As such we had an APO address of the same style that military personel living overseas do. Once upon a time, one of our state-side family members sent us a little care package with various household goodies and food items. Well, it happens that one of the bottles of syrup in the box burst and consequently had maple syrup leaking everywhere. We received the care package complete (minus the offending bottle of syrup) cleaned up and repackaged with a personal note from some postal worker in one of the transit stations along the way explaining how he really appreciated the work we were doing overseas (he could tell by the APO address) for our country, and that he knew how important this package would be to us so he took the little bit of extra time to clean everything up as best he could.

No matter what the popular jokes are about the Post Office, its just like any other agency or company.... there are people in any organization that spoil it for everyone, and, like this particular person, ones that reflect dedication and caring to their profession.

Re:Postal employees better than you think

[pmz]

The USPS has changed from competition from the likes of FedEx and UPS, and they are now very, very good at what they do.

I was suprised the other day to be able to get a certified mail tracking number from the USPS. It allows going to usps.com and verifying the package was signed for, and its only a few dollars. That's another way the USPS is a good alternative to UPS and FedEX.

Re:Postal employees better than you think

[mr_e_cat]

It probably cost $0.50 tax money for him to give you your change for $0.25. Hows that then? Did he claim 50c in overtime or something? The guy took time out of his own day, and may have had work late to finish his round.

Someone does a good turn and all you can do is criticise. You cheapshot asshole.

The USPS is financially and often makes a profit. It's losses are funded by borrowing just like any other business. It doesn't receive a govt subsidy.

see http://www.usps.com/history/anrpt02/

Crawl back into your hole.

Re:Postal employees better than you think

[shokk]

So much for a cheap (harhar!) joke. Way to get bent out of shape, dude.

Australia Post

Australia Post was looking at providing this service for it's "Gatekeeper" x.509 platform. It is also known as "RA" (registry Authority), and considering that Australia Post is already the "RA" for our passport applications - they would probably be the best suited too.

I don't think that X.509 has been "widely accepted by the community" yet... so I can't find any more details about it..

Re:Australia Post

[ZenJabba1]

Australia Post actually did issue X509 certificates, I still have the floppy disk. I think in the end they issues around 500 certificates because nobody was using them as nobody had the hardware needed to support the backend processing (AP wanted dedicated links in the backend servers to the ROOT cert).

It eventually failed and has never been heard from again. I do remember them sending me a email telling me it was going to be dismantled and I had 12 months more use of my certificate for free.

They also used physical presence ID checks, and I remember walking in my country post office and the postal person looking at me as if I had horns growing out of my head. I was the only person who ever approached him about getting the certificate to this day.

---

Isn't this simply a Class 3 X.509 cert?

[joeflies]

the definition for having people appear before issuing a cert has been around as long as there's been 3rd party CA's. However, a practical application to make it explode hasn't (most consumers still don't have a compelling reason to get any personal cert, except for the one they get in a smartcard). Frankly, there wasn't any reason for a consumer to get one because there was no compelling benefit

I would hazard to guess that the majority of consumer-level encrypted e-mail relies on PGP, not 3rd party-ca Issue certs. Thus, no uptake of certs for that reason. Most people probably don't even care if it's encrypted or not.

However, now that spam has become a major annoyance, and spoofed spam targeting best buy, paypal, and ebay users are causing fraud, there is perceived benefit from better secured e-mail services. If the USPS is successful is selling the benefit (i.e. certifiable, spam filtered mail), then perhaps we will start to see real adoption of 3rd party CA certs for consumers.

Oh goody! Now we can all get our MARK!

[pair-a-noyd]

Just what we've all been waiting for, our government approved identity mark.
Tell us, will we be tattoed with it, and if so, will it be on the forehead or the right hand??

(http://patft.uspto.gov/netacgi/nph-Parser?Sect1 =P TO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.ht m&r=1&f=G&l=50&s1=5,878,155.WKU.&OS=PN/5,878,155&R S=PN/5,878,155)

If you don't believe it, go to the United States Patent Office website and search for APPROVED patent number 5,878,155
and or this, "Method for verifying human identity during electronic sale transactions"

But it SOLVES NOTHING!

It doesn't stop ANY of the TRAFFIC caused by spam. It's a worthless "solution" in that regard.

Red Alert!

[twitter]

A number of top quality private sector business have masterd the technology around the use of secure digital signatures...

Market droid talk. If they are so good why does the post office need to get into it? Other talk about "demand", "unique service opportunity" and trusted computing has my back up. It's all so Microsoft sounding. But that's just the beginning.

They are going to use "comercial database checking", and the databases must be "Patriot Act Compliant". While the commmercial database check looks like coroprate welfare, it the Patriot act part looks like a land grab. What, besides any old G-man clerk having the athority to look at all of your data, constitues Patriot Act Complience?

The authentication method is first class mail. and a file that dissapears in four years. I'm not going to think very hard about all the ways to defruad the post and defeat this system, but mail fraud is still a common problem. The dissapering file is the real clincher. What "top quality private sector bussines" has a patent on DRM OS and has been touting files that expire as a means to "trusted computing"?

Having a certificate athority is good. Using that need as a means to nationalize software, usurp private databases, funnel tax money into private hands and foce everyone to use propriatory software is not good. The system needs to be run on proven free and open standards in a non-revocable manner.

The USPO is going to have to do better than that to win my trust. I've got one Microsoft machine for talking to an old camera and a scanner. I don't let it see the internet because it's so easy to break and own. Any plan that would force me to use software I don't trust for ecommerce is a plan I don't trust or want.

Two years ago, some moron told me that the US government would make it illegal to run anything but Microsoft software. He actually thought this was a good idea and was convinced it would happen. I told him that would violate the first amendment rights to free speech, and effectivly nationalize general purpose computing and such laws were laughably unAmerican. I'm not laughing anymore.

Someone tell me I'm just paranoid, please.

Re:Red Alert!

[forgetmenot]

Well, since you asked so nicely: You're just paranoid.

Yours truly,
B. Gates.

Re:Red Alert!

[thrillseeker]

If they are so good why does the post office need to get into it?

Because there is one within a few miles of everyone in the US? What, would you rather trust the zit-faced idiot at the 7-11 had "verified" the identity of those your correspond with?

Re:The Post Office? Seriously?

[Daetrin]

My grandfather used to deliver mail back in the 60s or something, and my parents told me that at the time, you did NOT fuck with the Post Office. Don't know if that's more or less true nowdays, although the PR about it doesn't seem as good anymore.

In-Person Spoofing?

[mikeophile]

Seriously, I'm guessing a whole crowd of black hats read that story and went "Hurray!".

Old News, but Interesting

[shiflett]

I was actually one of the developers of this project (three years ago), and it is funny to see that they are finally "announcing" it.

The idea is simple, and it is actually a useful service that the USPS has the resources to provide, if they actually go through with it. Whereas SSL only authenticates the server (among other things, of course), the allocations for client authentication in SSL are optional and very rarely used. All the client needs for this is its own digital certificate, just like the server has its certificate.

So, to get an SSL certificate, we (whether we like it or not) trust the various CAs to make certain that they are granted to the rightful owners. When it comes to client certificates, the scope of the problem becomes much larger, because you are authenticating people rather than domains. If you fail to properly identify someone before issuing the digital certificate, the point is lost.

The USPS has post offices all over the US (their only country of concern in this case), and this fact provides the perfect platform for authenticating people. Just as with Passports, you must prove your identity in person before being authenticated.

How do the pieces fit together? Well, it is fairly simple, but it involves a lot of existing systems, some of which are aging. You register online (providing much personal information, including what forms of ID you will be bringing with you). This generates a letter that is sent to your address (verifying your address in the process). You take this letter to the post office, and if you pass the in-person proofing, the clerk scans the barcode on the letter. This scan makes its way back to the system in about 24 hours, and then your digital certificate is generated. An email is sent to let you know, and you can then download it from the Web site after logging in.

At any rate, I still think the general idea is a good one, and this would be a useful service for a lot of people. I hope it is successful.

Re:Old News, but Interesting

[geekoid]

once you have your cert, how does it determin who is using the computer?

Re:Old News, but Interesting

[Wesley+Felter]

In all PKI it's up to the user to keep control over their private key.

Re:Old News, but Interesting

[shiflett]

Who knows what they are planning now, but when I was working on it, the user had two options: let your browser keep your private key (as well as your personal digital certificate) or download your private key and digital certificate to a smart card. It is the user's responsibility to keep up with these things.

Don't blame just the USPS, geez

[EvilStein]

"Funny, they don't seem to always know where to deliver so-called first-class mail ..."

No, not very funny. Rather clueless. Did you know that the USPS has domestic airlines carrying mail?
I can't even count the times I've found stray (or lost) bags of mail in aircraft. One of my many job functions when I worked for a ground handling company was to make sure that mail for Anchorage actually got *on the right aircraft* and didn't wind up on a flight to Miami. We'd actually check behind the belly toolbox on that old nasty DC-8 looking for mail bags.
Ever seen a 55' truck back up to a DC-6? Yes, folks. Bulk loading 33,000lbs of mail into a friggin DC-6 bound for northern Alaska.

Sure, mail gets lost sometimes, but it's not always the fault of the USPS.

Re:Don't blame just the USPS, geez

it's not always the fault of the USPS.

So it's YOUR fault, then? :-)

Re:Don't blame just the USPS, geez

[Rick+the+Red]

Sure, mail gets lost sometimes, but it's not always the fault of the USPS.

Oh, so it's not the USPS's fault because they're not the ones hiring those domestic airlines? Then whose fault is it?

I don't get it.

Re:The Post Office? Seriously?

[Just+Some+Guy]

That's still the impression I got. Playing a minor practical joke on your deliveryman may get you a nasty letter. Mail some drugs or chemicals that you're not supposed to have and the Men In Black kick in your door.

For real joy, though, see what happens when you get caught by the Railroad Police. Sounds funny, but apparently it's decidedly not humorous at all.

Becuase bribing a Federal Employee is a crime...

[crazyhorse44]

if he had've kept your 20 cents and someone found out, he would lose his job on the spot.

Re:The Post Office? Seriously?

[jonnythan]

Yeah?

Get FedEx to pick up a letter in White's City, NM and deliver it to Buttfuck Alaska in less than a week for 40 cents.

Ask UPS to deliver some RAM from your home in the middle of nowhere in Vermont to suburban Seattle in two days flat for $3.85.

A Haiku

[blackmonday]

Digital Signature!
Post office gets it to me
How soon it must die.

Re:A Haiku

Five on the first line
Seven on the following
And five for the last

(Count: Di-gi-tal Sig-na-ture)

Desparate fits of a dying bloated animal

The USPS is dying fast and they know it. Despite "privitization" and "new" services, they are ill-equipped to compete against slicker, harder working private companies. Just visit your local PO to find the tired old gravy train mentality in the first person you meet as you walk in, no doubt after waiting in line for a long time.
Watch them try to reinvent themselves, all the while raising the price of stamps while cutting service and treating their staff like lifers. I walked into the local PO and tried to pay 3 years in advance on box rental and they had some reg that wouldn't allow more than a year in advance. That's after 3 visits to find the right person on duty (first was a Saturday, forgot why the second visit failed). Ditched them in disgust and went to Mailboxes, Etc, which was glad to oblige me.
This attitude and type of experience has occurred time and again. Fatass bastards, all of them. Die, USPS, Die!

Waste of Tax Dollars

It looks like this is just Verisigns way of getting the US Government to pick up the cost of personal verification. You will still be registered with some private CA. So much for the government big brother worry warts.

Having said that, the commercial big brother worry warts should continue to worry.

Likely identity theives would be quite proficient in "proving" to the USPS that they are you. This could make identy theft worse.

think global

[poptones]

So every cert can be cached locally - that still means one bigass database (50 million people? 100 Million?) feeding cached local certs to the mail server for every email. And what do you do if the person isn't from the US? How many ISPs would be willing to declare all international email "undesirable?"

is it ironic

[geekoid]

that slashdot would slam the USPS for its incredibly rare mistakes?

If the people who ran /. ran the postoffice, my mail would only get handled correctly about 4 out of 10 times. the good noes is, I would regularly get the same package twice.

Re:is it ironic

And most of your mail would consist of cards with only the words "First Post" on them.

going postal once again

Slow roasted goodness

Re:The Post Office? Seriously?

If you think $0.37 is too steep of a charge for someone to come to your house, pick up an envelope, and deliver it to anywhere in the country, often in 3-4 days, well sir, you need to put down the crack pipe.

And nowhere near 10% of the mail is lost. Puh-leeez. One out of 10 of your bills gets lost? Wow, that would really be a problem. But of course it's nowhere near that. When's the last time you actually had some mail get lost? Seriously.

And most postal workers I deal with are extremely nice, dedicated people, especially given the climate they operate within -- nasty "what have you done for me lately, I'm in a hurry, I shouldn't have to wait in line" snotty type people. YOU try putting up with that kind of customer attitude for a while and let's see how you turn out. DMV? The DMV sucks. USPS? The USPS is full of friendly, helpful folks, and always trying to improve. They don't deserve your rap.

that's how it looks.

[twitter]

the USPS will only be vouching for you to the CA - they won't be authenticating you to the public at large.

It looks like that, but because the database must be "Patriot Act compliant" , it will be like the government owns the data anyway. This way they get all the information and get to subsidise their favorite "top quality private sector business".

NEver ever fuck with the postal police.

[Unknown+Poltroon]

96% conviction rate. It helps that they generally know where you live, but within thyre domain, they kick some ass.

Re:NEver ever fuck with the postal police.

[dnoyeb]

Yea, and shovel that damn snow too if you want your mail!!

USPS is solid as a rock. I use them for all my mail. I thought they were more expensive that UPS though. So when I shipped my monitor I took it to ups thinking a big item like that I better go cheap on. $56. I am sad to read above that USPS is cheaper. USPS is everywhere. From now on its USPS exclusively.

Plus the girls always have really nice thighs!

Re:NEver ever fuck with the postal police.

[Skjellifetti]

96% conviction rate. It helps that they generally know where you live, but within thyre domain, they kick some ass.

Unless its an anthrax case...

But to be fair, IIRC it was a Postal Inspector who caught the Unibomber and that case took years to solve.

Re:NEver ever fuck with the postal police.

Female letter carriers are hot!

Re:NEver ever fuck with the postal police.

[ckaminski]

Actually, the Unabombers BROTHER turned him in after reading his manifesto in the N.Y. Times. Just goes to show you have to keep your pyschoses to yourself. :-)

Re:NEver ever fuck with the postal police.

postal police guard postal facilities. They tend to be overweight, and they certainly don't go into people's homes. Postal Inspectors go into people's home. Yeah, they tend to be overweight too.

USPS offers to outsource services to CAs

A more careful reading of the article indicates that the USPS plans to offer its post offices as digital signature identity proofing front offices to CAs.

The basic idea is that CAs can leverage the thousands of existing post office branches to outsource the hanling of the proofing services.

Of course, besides having their root certificate stored in Explorer and Netscape/Mozilla, the only other real competitive advantage of CAs has to do with their verification processes. Its not clear if they would be willing to outsource them. The USPS could then easily add its own root certificate to the popular browsers and eat their cake.

Spare us please!!

Funny, they don't seem to always know where to deliver so-called first-class mail ...
>
>
Talk to the people who work in the recieving departments at department stores like K-mart and WalMart and ask them how many times a week UPS and FEDEX drivers leave packages for the other store
with them because they can't be bothered to read the addressthat's on the package's shipping label.

Idoits like you need to get a *MAJOR* clue
about's what involved with deliving things
like first-class mail.

Then you'll realize you'll want outfits like
FEDEX and UPS to have absoulutely *NOTHING*
to do with it.

Spirit

[poptones]

I agree with you in spirit, but I vehemently disagree about making this mandatory. Providing a reliable way to verify someone's ID outside the (god-damned) banking system is a great service - but I disagree that anyone should be compelled, simply because of their nationality, from signing onto such a service.

If you want credit you accept that you have to share some amount of personal inormation with the banking authorities. This would provide an alternative means of identifying oneself without having to take that step - but no one is forcing me to get credit. No one should be forced to sign onto this, either.

From the paper it appears "mandatory" would be a very long way off, if ever. So far it's full of disclaimers ("if the service proves popular") which makes the concept of this serving as a national ID a fairly distant probability.

When it comes down to it any system of accountancy is open for abuse - and not just from the government. Unless one has violated just law, exposing oneself to that potential should always be a matter of choice.

Re:The Post Office? Seriously?

Mister Kramer, I'm not just a postmaster. I'm also a general.

Right... the Post Office

Funny, they don't seem to always know where to deliver so-called first-class mail ...

But they never miss on all that junk mail, do they? What does this portend for e-mail?

Marketing Idea for the USPS

[boogahboogah]

Let's call it a 'Freedom Certificate'. All the yahoos that believe that the 'Patriot Act' means patriotism will suck it right up.

Only those people signed up & 'Authenticated' will be afforded the rights & freedoms described in the constitution. All others pay cash.

Unless you are suspected of a crime, of course, which will automatically 'entitle' you to a 2 year stay in the wonderful vacation facility of Guantanamo Bay.

obConspiracyTheory

[josh+crawley]

Insert obligatory "the government wants to track you down/harvest your organs/make you a slave of corporate America" conspiracy theory here.

Re:obConspiracyTheory

[josh+crawley]

Oh wait, the USPS isn't actually issuing the Certificate, just verifying the identity? Well, I'm sure it's still evil and Microsoft is probably behind all of it.

Rolls d 20 and

[geekoid]

Saves vs. scathing retort. ;)

Re:The Post Office? Seriously?

[legLess]

Quoth the poster:

And although they'll only cost $0.37 to start, their price growth will outstrip inflation. When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

There's truth to what you say, but not as much as you think. The USPS is required by law to deliver to every address, every day (in some really small places they skip Saturdays, I hear). UPS, FedEx, etc. have to make a profit, which means that unprofitable packages don't get delivered. UPS's delivery service to some addresses is the USPS. They'll literally accept a package for delivery, label it, then drop it off at the local post office.

Besides, $ .37 ain't bad; if you find a cheaper way to send half an ounce of anything 2,000 miles, lemme know.

Re:Oh goody! Now we can all get our MARK!

[geekoid]

so, the patent is aproved? in all likley hood, Heeter; Thomas W. (55 Lyerly, Houston, TX 77022) is just some guy with a good sense of humor. If I had thought about it, I would of applied, it pretty damn funny. Besides, if the devil is comeing to town, why not make a buck?

or perhaps he aplied for the patent to PREVENT it from happening?

As long as we have seporation of church and state, and freedomn of religeon, the mark of the beast will not come to pass.

now, if only it had someting to do with the original post.

Re:Australia Post's Dud Keypost System

[maroubra]

Australia Post launched a product several years ago called Keypost aimed at individuals.

The company I worked for at the time (a large Australian provider of e-mail services) was looking into it as a solution to spam, and as a boost to e-commerce dealings. We probably had the clout to really put the product into the market, and we thought it what our customers were yearning for.

But, dealing with Australia Post was so incredibly difficult we gave up.

Besides obstinate and inflexible product people on their end, the product had some key flaws:

For instance, Keypost certificates were supposed to be issued the same way as passports, but for some reason required more ID (or more stupid ID rules) than a passport application did. (if you know anything about the Aussies, they hate over-burdensome ID rules).

Also, only a very limited number of Post shops were willing to run with Keypost.

As well (if not most importantly), the cost of Keypost was around 10 times an Australian Passport (at the time it was Keypost $99/annum vs around $100/ten years for a Aussie passport).

NOIE (The National Office of the Information Economy - an Australian govt office) runs gabfeests on the issue every so often, but nothing eventuates.

There is obviously demand: The Australian Tax Office gave up waiting for a public key infrastructure and set up it's own a couple of years ago, which most of the users (mostly small to medium size businesses) are very happy with. But it's only used to talk to and fro the tax office.

IMHO, demand's there, someone just has to force Post to get itself organised that's all. I think we'll all benefit.

M.

Hong Kong's SmartID Project does this....

[shri]

http://www.smartid.gov.hk/en/index.html

and so does Hong Kong Post.

http://www.hongkongpost.gov.hk/product/ecert/typ e/ smartid/index.html

Why reinvent the flippin' wheel?

[Lodragandraoidh]

Why not just use PGP encryption for this purpose.

Two levels of security:

1. Digital signature.

2. Public Key encryption.

As long as you keep your private key secure, others can download files encrypted by you and be sure the data is authentic.

I haven't played with the public key registries - but it would seem that it should be set up so that when you create an entry in the database, it would only allow someone who can authenticate as you (i.e. you generate a digital signature to login) to change your public key (this would elimenate identity theft).

Why reinvent the flippin' wheel?

Re:Why reinvent the flippin' wheel?

[PaperTie]

How is someone supposed to know that you are, in fact, who you say you are? Just because the signature is used doesn't mean that someone didn't just type in any old name they felt like. It just means the message hasn't been altered.

Re:Why reinvent the flippin' wheel?

[Frobnicator]

That is what trust networks are used for. You can trust your friends to a certain degree (1 to 0), and they trust others to some degree (multiplied together), giving a a trust level.

CA's like Thawte, which has its certificates accepted on almost all systems, will freely give out certificates for e-mail with no identity verification.

Thawte notaries can give you points toward your identitiy authentication. Visit enough notaries and your identity will be verified. Visit more notaries and you can become a notary yourself. (I'm a Thawte notary, btw.)

The fact that the USPS will require you to re-authenticate every 4 years seems troubling to me....

frob

On Post Office reliability

[turbod]

Considering the vast size of the post office system and the fact that we have not invented machines that can deliver mail, the post office is actually pretty reliable. While I could end up one day the victim of a FCM dropout, in 29 years, it would be the first.

Anybody know what their loss rate is per amt of mail they transfer vs. say loss rate of UPS or fedex per their transfer numbers?

I'll bet they are within the same ballpark...

TurboD

Re:Becuase bribing a Federal Employee is a crime..

Doesn't that imply he was that much more generous in his offer to add the needed postage? How easy would it have been to say, "I'd like to, but my job would be at stake."

require one of these for a change of address form

[option8]

the last (several) times i have moved, I've gone down to the post office, picked up an official postal change of address form, filled it out and mailed it back in.

as far as i can tell (and the USPS may have updated their policy since the last time i moved) there's no ID, or any kind of proof of identity for that matter, involved in filling out a change of address form. that, and no confirmation after the fact that it had been accepted and processed - other than your mail showing up at the new address with a big yellow sticker over the address. i.e. nothing to prevent someone filling out a form for somebody else

in fact, i read several years ago in a book of "dirty tricks and practical jokes" that a fun little prank to pull on someone you don't like was to fill out a change of address form for them - forwarding their mail to an address in another state. another fun one was to send a threatening letter to 1600 pennsylvania ave with their return address. postal inspectors *and* secret service when the prez is in town. fun for the whole family!

now, tell me they've updated this procedure - which used to be done with a simple mail-in form - or else tell me how i'm supposed to trust this same organization as an authority regarding someone's identity.

debian

[perlchild]

since HP supports debian GNU/Linux on blades, I can't wait to see them preload it on a desktop

*only half Irony*

Re:debian

OK, is slashdot messed up, or is this intended to be a really subtle joke on the subject of the USPS and accidentally delivering messages to the wrong destination?

Re:debian

[perlchild]

somewhere between posting in the wrong window and slashcode posting a comment on the wrong story I'm sure. Although you're free to add subtlety if you wish

Re:The Post Office? Seriously?

[Martin+Blank]

Delivery of a two-pound, 20"x15"x2" package from California to London:

UPS: $66 (2-5 days)
FedEx: $65 (4-5 days)
USPS: $15 (4-6 days)

You can guess who I went with. It took four days to get there.

USPS Approved Document Time Stmaps???

[QuietRiot]

I'm curious when we may have access to a government approved digital time-stamping service?

Ever like to prove to somebody that a document existed at a certain date? "Mail it to yourself. It's got the postmark."

Well, besides the fact that this ploy would never stand up in court (it's too easy to steam the flap open), it's a good idea.

How about the USPS providing a digital document time-stamping service? What good time-stamps are availible out there that would stand a test at the patent office, for example???

Re:USPS Approved Document Time Stmaps???

[hackstraw]

Public notary maybe?

Re:USPS Approved Document Time Stmaps???

[QuietRiot]

When in this country might I expect to see a digital public notary? 5 years?

Present a document, and the notary wraps the contents with a digital signature and timestamp, similar to the way GPG clearsigning works. That would be pretty neat.

I'd pay by the megabyte for somebody to timestamp stuff for me.

Re:USPS Approved Document Time Stmaps???

check out the Electronic Postmark @
www.usps.com/electronicpostmark

Illegals ID themselves for jobs, so can this work?

[John+Jorsett]

If we can't screen out millions of illegal aliens who manage to come to the U.S. and present documents that are good enough to let them satisfy the government's requirements to prove to an employer that they are eligible to work in the U.S., how is this going to be better? If the answer is "better documents," how come we aren't requiring those better documents to be presented to the employers?

same experience here

[beavis88]

However, I was pleasantly surprised that the last time I moved, I got a confirmation letter -- one to each address. I don't know if that is a local thing (Boston area), or new policy.

Going postal

[SunPin]

Postal inspectors carry guns and can really fsck up the lives of anyone that crosses them. I wouldn't be against a system of guaranteed spam free email. Any commercial email would cost money so I wouldn't care if I received sales crap in it. Pay per send, fine $ to companies that don't send commercial email at commercial rates, jail repeat offenders, end of story.

Re:require one of these for a change of address fo

Speaking as one who is in the process of moving right now (getting keys to the new apartment tomorrow morning), there actually is verification that it's been accepted and processed. You may not run into it if you don't file the change-of-address form pretty early, though, because it's sent to the old address. And, they're fairly clever about it. They account for the possibility that someone will send in the forwarding order late and someone else will have moved in their place before the confirmation is sent. Because of that possibility, they only list the address that the mail is forwarded from. Thus, the person who moves in after you may get your name, but they do not get your new address.

Just in case anyone cares, here's what the letter looks like:

COMPUTERIZED FORWARDING SYSTEM
UNITED STATES POSTAL SERVICE
1234 STREET_OF_LOCAL_POST_OFFICE RD.
SCHENECTADY, NY 12345


Dear ANONYMOUS COWARD,

The Postal service has received a Change-of-Address Order (PS Form 3575) asking us to forward mail FROM the following address for:

ANONYMOUS COWARD, INDIVIDUAL ONLY

*** PRSRT
(official-looking bar code stuff)
CURRENT RESIDENT OR
ANONYMOUS COWARD
1234 YOUR_STREET, APT 5678
SCHENECTADY, NY 12345
(more bar code stuff)

The purpose of this letter is to confirm that this request to forward mail is correct.

If this Change-of-Address Order is for someone who has already mnoved from this address, no action is needed.

If anything is incorrect with the Change-Of-Address order shown above, or if you did not ask the Postal Service to forward your mail, please call 1-800-ASK-USPS (1-800-275-8777).

... blah blah blah, etc., etc., etc...

So, yes, someone could play a trick on you, but you would at least find out eventually. Still, they could do a little better. They could provide a phone number (or web site) for you to submit a request; then they'd send a computer-generated form to the "from" address for forwarding; only by returning that form could you get the mail forwarded. Unfortunately, what would happen is that more mail would be lost this way, because in the chaos of moving, people naturally forget to forward their mail until after they've moved, and those people would never be able to get through the system...

Questions

[MagPulse]

After reading the article (quickly) I still have some questions:

1) What kind of certificate is being given? X.509?

2) What private information is kept by the user to be used to encrypt or sign data? In PGP you have a key that's usually thousands of bits long. I just read that X.509 certificates only use a password. If this is true, wouldn't it be a lot easier to crack? For example, by encrypting data with tiny passwords until a browser or e-mail program accepts it?

3) How is the private info given to the user? If it's in person when the user signs up, then it has to be randomly generated since no one at the office should see it. If it's sent in the e-mail notice for downloading the certificate, that can't be secure can it? So it must be given at sign-up in a sealed envelope right?

Hong Kong has it

[lamj]

Hong Kong Post office is teaming up with the government to offer the same thing, this has been available for over a year now. Refer to this link.

The Hong Kong Government has recently roll out a renew plan for all citizens to renew their ID card (mandatory, must be on the person at all times). This new ID card is a smart card which also allow storage of digital cert.

Because of this mandatory ID, the cert roll out plan (storage and distribution) is relatively easier than other countries.

Re:The Post Office? Seriously?

When you control the mail, you control ... INFORMATION!

Re:Canada too...

[g0at]

I guess I should look into this some more, but when this was first announced a few years ago I couldn't understand the big deal -- as I still don't today.

Many companies send me paper invoices, which I like to keep for accounting and records purposes. And I can pay them all online, either by EFT/ACH (online banking) or credit card.

I don't think I've written a cheque for anything except rent in at least a year (well, and to my brother earlier today who just picked up a couple of 10/100baseT switches for me for dirt cheap).

-ben

It's a Multi-Pronged Approach

[billstewart]

That's the thing about databases - every new database out there can pretty easily be coordinated with every other database out there. And if you've ever bought a house and looked over your credit records, what privacy did you think you still had?

• People were scared of that stuff back in the 1960s, when really big mainframes might have cranked at 0.1 - 1 MIPS and 5 MB was a huge disk drive and they used papertape and magtape and punch cards and correlating data was really _hard_.
• They were afraid in the 1970s when mainframes were starting to approach the capacity of a current PalmPilot and supercomputers were approaching the capacity of a PocketPC and 9600 baud was Really Blazingly Fast datacomm and a Gigabyte was really a lot of data.
• These days a desktop PC can add 160GB of disk for $100, which is ~500 bytes per American or 20 bytes for everybody on Earth, and who'd buy one slower than 1 GHz (that's 4Hz/American :-) and then there's the Internet, so basically any random government employee with a cheap desktop box can do a search in 10 minutes that would have taken the 1970s Census Bureau two years to plan and several weeks to run, and that simply couldn't have been done in the 1960s.
• It's much faster and more efficient to correlate data in RAM than disk, and much more efficient using disk than tape. My laptop has more capacity in $70 of RAM than my mid-80s VAX had on two $35000 tape drives, plus the CPU's 1000 times faster.
• You can buy national phone number databases on CDROM for ~$20 in your local office-supply store. It takes a couple of CDs, but probably only one DVD.
• You can buy CDROMs with MILLIONS of Fresh New EMAIL ADDRESSES REAL CHEAP!! (oh, wait...)
• Social Security Numbers make it easy to correlate every record that uses them with every other record that uses them. No they're not perfectly accurate - but that doesn't help your privacy any, it just risks mistakes causing you big headaches.
• Driver's Licenses and Car Registration in all US states require the DMV to collect your SSN. They don't have to print it on the license, but it's in their databases, and many states sell most of their DMV data widely, as well as coordinating with other DMVs to prevent multiple registration.
• US Banks almost all know your SSN - it's required on interest-bearing accounts, and may be required even on dumb checking.
• Credit card companies almost all have your SSN, and if you use credit cards, everybody knows your credit card numbers and your mailing address.
• "Deadbeat Dad" tracking laws and anti-Spanish-Speaker laws require employers to collect identity papers from everybody they hire and validate with the Feds to be sure they have permission to work in the US. That's because *you* might be a deadbeat dad, and because all those immigrants are coming here to get on welfare, which is why they're not allowed to get jobs.
• Passport agencies want your name, DoB, address, SSN, etc. Just about any Fed can get some excuse to access that database, and it's bar-code-scanned when you enter the country if they can get it.
• Unique identifiers like SSNs are useful, but they're much less necessary these days - computers can do character-string matches fast enough, and some combination of name, phone number, address, ZIP code, date of birth, etc. can get pretty close.
• If you want a US Post Office Box, the PO wants proof that you're really you and proof of where you really live, because you might otherwise fraudulently get mail for someone else sent to the box.
• But if you *don't* want paper junk mail at your house sent to Occupant or Resident, they'll deliver it anyway.
• If you want a mailbox from a mailbox company, the Post Office has gotten laws passed in many states that let them get even *more* documentation of your "True Name" and address and two forms of ID. In California, this is ostensibly because many small businesses are run from mailboxes pret

Re:It's a Multi-Pronged Approach

[willtsmith]

I believe we all have a right to privacy.

We do NOT have a right to anonymity. Basically, indexing databases by social security number should be illegal. The credit beaureaus should be held accountable (financially) when they allow thieves to steal your identity.

Our financial systems are woefully insecure in this day and age. The move towards purely electronic transactions has rendered traditional "minted" authentication largely irrelevant (save for cash).

I am very glad to see the USPS step in on this issue. We need some pretty stringent laws regarding what data you can pass TO WHOM!!! Electronic PKI technologies will really enable us to get a hold of a lot of this mess provided we can get the greed mongers behind it.

Re:The Post Office? Seriously?

[berzerke]

...UPS's delivery service to some addresses is the USPS. They'll literally accept a package for delivery, label it, then drop it off at the local post office...

I can verify this. My father works at one of the mail processing centers (the BIG post offices; several city blocks in size, not counting the parking lot), and every day multiple UPS and FedEx trucks pull up to drop off packages.

Re:The Post Office? Seriously?

[willtsmith]

COOL!!!

Will Agent K show up himself???? He does have postal experience ;-)

Re:Oh goody! Now we can all get our MARK!

Oh, that's too weird! Let's see:

THOMAS - 6 letters
HEETER - 6 letters

Wanna bet the middle name has 6 letters too?

Re:Illegals ID themselves for jobs, so can this wo

[willtsmith]

We aren't requiring "better documents" because illegal immigrants drive down US wages. Corporations like lower wages because CEOs and other executives have a bigger pot of money to steal from. Our legislators don't care because these CEOs and other executives pay the bulk of their campaign funds (as well as "investigative trips" (vacation bribes) ). The CEOs and other executives OF COURSE tell them that undocumented illegalal aliens are a "GOOD" thing for Americans.

Ralph Nader and Ross Perot were right. They do seem somewhat mad on the surface but their predictions become reality.

After 9-11, you would expect that the Bush administration and their "homeland security" department would fight illegal, undocumented immigration. Nope, they could give a shit less. The "Homeland Security" department is just a sham excuse for consolidating government agencies more closely under the thumb of the president and abolishing protections for career civil servants.

Secure National "Smart Cards" would be a great way to:

* Secure our financial infrastructure and prevent identity theft and credit fraud.
* Allow the easy identification and deportation of illegal immigrants
* Increase our level of security, hence reducing the need for foreign "pre-emptive" military action.

So of course, neither Republicans nor Democrats would be in favor of it. Follow the money, I gauruntee that it doesn't trail back to ordinary Joe Americans.

Re:Canada too...

[Zork+the+Almighty]

It shows promise, but I wish they would offer authenticated email services.

Re:Oh goody! Now we can all get our MARK!

[willtsmith]

Personally, I think you've already been tatooed on the head, with a RUSTY RABIES INFECTED NEEDLE!!!!!!

The fact of the matter is that a "MARK" has been common in many transactions for centuries. Written signatures have been the most popular. This is simply a different type of signature.

Many people voluntarily mark themselves voluntarily through tatooes, brandings, and piercings.

One US right held pretty sacred is the right to your person. So don't get uptite about the return of the beast until you've seen a constitutional amendment saying that the state can dictate that you undergo body altering surgeries. .... That, or you can tune into the 700 club where the Beast's smiling face is featured every afternoon begging for money to make everybody "like him". ;-)

Re:USPS & Personal Identity

[willtsmith]

Now that I have your attention, I would like to discuss the larger issue of Linux in general. It is time for us, fellow patriots, to look at our situation in the world on a global scale. Microsoft is an American company. Bill Gates started with nothing and built an empire. What is the problem here? We should be supporting American enterprise, not undermining it. The simple fact is that no true partiot would use Linux at all. In these hard times we must rally around our companies, our economy, and our president. If we let the 'Linux Community' have their way, we will all be at the mercy of the Germans making KDE, or the Japanese with their desktop. Do you plan to learn Japanese in the near future? You may have to, if we don't start poneying up to the bar and laying it down for our cause.

Dear Mr. Patriot (aka Anonymous Coward),

Your thesis is BULLSHIT.

First regarding the French. Yes, their modern military exploits (post Napolean) have been farsicle. However, they are still DAMN good cooks and nice people.

Beyond that, they did have one truly great military exploit. They provided invaluable miliatary assistance at the battle of Yorktown which effectively capped off the American Revolution. Without the help of the French Army and Navy, Yorktown probably would NOT have been possible (We had no Navy!!!). One could credibly claim that without the aid of the French, the revolution would not have been a success.

Regarding Microsoft. Microsoft (along with most other US corporations) employs a high level of H-1B, L-Z1 and other foreign non-immigrant Visa holders. They produce software world over and are effectively a "global corporation" with their headquarters in the US.

The best "open-source" stuff is coming out of Ximian which is located in Boston. Beyond that, if there were any particular political agendas in Linux, you could simply comment them out and replace them with "patriotic" code.

Seriously Anonymous Coward, you sound like the paranoid love child of John Ashcroft and Bill Gates. BTW, which one is the bitch, John or Bill???? ;-)

Token USPS Endorsement

[ReadParse]

I didn't have to look far to see the usual "postal service sucks" stuff. Heck, even the poster (as opposed to the submitter) couldn't resist offering a little jab.

These people obviously don't know what it's like outside the United States. yes, I live in the US and I was born here, but I have been around enough to know that the US is where I belong. And the USPS is a great example of why it's so great to live in America. As big as the country is, 2-3 days is usually enough to get mail from anywhere to anwhere (Continental US, of course). I mail things with absolutely no fear of anything getting lost, and I have never known of any situation where something was legitimately lost in the mail.

It's always been an excuse, and a useful one for certain people, since it's impossible to disprove (can't that a letter than can't be found and that wasn't tracked was ever sent). Anyway, I'm sure some people have had trouble with the postal service, and we've all had run-ins with specific postal workers who don't care about their jobs (just like at McDonald's and Kmart and every government office).

The only negative experience I ever had with the actual service was a long time ago... like 15 years or so. A letter had been accidentally "mutilated" on the way to my mailbox. That was their word, not mine. It had obviously gotten caught in some sort of machine and it was useable and readable. But it came sealed in a special plastic covering with an amazingly-apologetic statement, just going on and on about how much of a disappointment and an inconvenience they had been to me. I couldn't believe it.

Ok, I'm done ranting. Continue slamming the postal service all you want. Oh, and by the way, I think this is a good idea. This is an organization that has a high degree of trust and is available for everybody in the US to easily to the in-person visit. Brilliant.

RP

Who generates the key?

I hope I generate the key which gets signed, that way my computer has to be subverted for my identity to get forged.

If the CA generates the key (and lets face it, I don't really trust them and certainly not ALL the IT staff they will hire) I'd be afraid my private part might be stored, intercepted or otherwise harvested.

Re:Who generates the key?

[shiflett]

Your browser generates the key pair using whatever length you specify during registration. The public key is provided as an HTML form field and used to create the digital certificate if/when you pass in-person proofing. Your private key should never leave your possession (whether you keep it in the browser, on a smart card, or whatever).

Re:Who generates the key?

Not always.

With some CA setups I have seen the server generates the key! Eeekk!

Re:Who generates the key?

[shiflett]

I think you misunderstand. I am telling you that this is how it (the USPS implementation) works.

And yeah, any system where the user cannot take full responsibility over the privacy of their private key is a broken system. :-)

Danish postal service does it. Sweden use banks

Since the implementation of the EU electronic signature directive in danish law in october 2000, the danish post offices has offered the same service to the CA's issuing qualified certificates. This is the only way to get a qualified certificate in Denmark. It has not been a success mainly due to two reasons: 1) practically no services requires that level of security in the registration process and 2) barriers for aquiring a certificate are too high (expensive and time consuming). Therefor the danish government has launched an alternative pki with very low access barriers. You can get a certificate at no cost and order it from home. Authentication is mainly coupled to your registered adress which is where the activating pincode i posted to. To push adoption, services that will demand use of this pki are supported financially and given technical conceptual support.

Danish banks are watching the market for federating identities, and in Sweden the banks identification of their customers are relied on for issuing certificates to swedish citizens.

Sounds like a national ID card to me

Welcome to the Police State of Amerika

Re:The Post Office? Seriously?

[GnarlyNome]

2'x4'x7' Package
gross wt. 24 lb.
FedEx 385.00
UPS 310.00
UsPs Go Away!
Greyhound Package express 41.85
Delivery 3 days S.F. to Denver area

How does the PO know who you are?

As a German (with national ID card) who's lived in the US quite a bit, I wonder how the Post Office is going to tell who you are. From personal experience I know that almost everyone at a US college has a fake drivers license. I got my drivers licence with a rental agreement as the crucial proof of ID; actually, it was proof of residence they were looking for, but nothing else was checked. With that, I got a credit card. And so on. With the whole US system of ID, it is absurdly easy to create a new identity.
So now the Post Office will certify... what exactly?

YHBT. YHL. HAND.

Just don't feed'em

Re:USPS & Personal Identity

Just call it Freedom Linux and continue to use it as usual. ;)

Lennart Regebro.
Paris, Freedom.

More information

USPS Electronic Postmark page More about electronic postmark

Contents of article

[FR Doc. 03-15347 Filed 6-13-03; 11:53 am] BILLING CODE 7590-01-M POSTAL SERVICE In-Person Proofing at Post Offices (IPP) Program AGENCY: U.S. Postal Service. ACTION: Notice. SUMMARY: The USPS is announcing the availability of an In-Person Proofing at Post Offices (IPP) Program to support the activities of U.S. Certificate Authorities and government organizations. EFFECTIVE DATE: June 9, 2003. FOR FURTHER INFORMATION CONTACT: Chuck Chamberlain at 703-292-4172, or Brad Reck at 703-292-3530 SUPPLEMENTARY INFORMATION: In recent years, a number of new federal statutes have sought to preserve the ability of the public and private sectors to use the efficiency of the internet to rapidly exchange time sensitive communications while assuring that people receiving and sending messages are in fact who they say they are. A number of top quality private sector businesses have mastered the technology around the use of secure digital signatures, yielding a greater demand for improved identity verification for individuals seeking to use digital signatures. This need for improved ''online identity'' creates a unique service opportunity for the Postal Service to provide value to the public, leverage our retail network and enable internet communications to enjoy a new level of security and reliability. Numerous organizations have approached the U.S. Postal Service to conduct In-Person Proofing (IPP) of customers nationwide for physically authenticating an individual's identification at a post office before the organization issues a digital signature certificate to the individual. IPP supports efficient, affordable, trusted communications through the use of identification verification at Post Offices, incorporation of process enhancements required by the Postal Service, active management of the IPP program by the USPS, and use of a First Class U.S. Mail piece to verify physical addresses of applicants. We believe that IPP conducted at local post offices will create a new broad based capability for the Nation that promotes improved public trust and greater efficiency in the electronic delivery of a wide range of services. These efforts support achieving the goals of the Government Paperwork Elimination Act of 1998, Electronic Signature in Global and National Commerce Act of 2000, Health Insurance Portability and Accountability Act of 1996, Sarbanes-Oxley Act of 2002, and Gramm-Leach-Bliley Act of 1999 and numerous Presidential Directives on eGovernment. The following is a brief description of how IPP would work. An organization can establish a relationship with a qualified U.S. Certificate Authority to integrate digital signing with improved identity verification into an online application. Any individual desiring to use digital certificates that include USPS IPP will complete an application online. The online system will verify the individual's identity via commercial data base checking. The system will then produce a standard Postal Service form to be printed out at the ''applicant's'' personal computer. The individual requesting the service will present this form to a participating post office where the ''In Person Proofing'' process is conducted. After successful completion of the IPP event, the CA will notify the applicant to download their digital certificate. For clarity, the steps in the IPP process are outlined below. 1.0 DESCRIPTION 1.1 Purpose IPP is a postal program to improve the public key infrastructure of the Nation. The public key infrastructure has emerged as an accepted infrastructure component for protecting and facilitating the electronic communications of the Nation. 2.0 BASIC STANDARDS 2.1 Eligibility For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Postal policy includes: 1. Use of a Patriot Act compliant database vetting process to gain initial assurance of an applicant's identity before sending the applicant to the Postal Office for IPP. 2. Perform a verification of the applicant's physical

civil servants

postal emplyees are not civil servants. They are postal employees, period. They work for the federally chartered USPS, and are in FERS, the federal employee retirement system--but they are not federal civil servants. I was a carrier for a year ( worst job I ever had) and I can vouch that most postal employees dont work too hard. Carriers and maintenance employees do--oh yeah. Try delivering mail for 9 hr straight on foot with no rest room use,,,,yes, I wish I had been a "civil servant".

Re:Becuase bribing a Federal Employee is a crime..

that's not a bribe, and Postal Employees are not Federal Employees...they are USPS employees, under a union contract. But, yes, it is illegal for POSTAL employees to accept money for their own use---which is why, when i was a carrier, I would not knowingly accept mail with no postage on it.

Postal Directive

"Dear USPS customer, in order that we may provide you with a digital ID, please fill out the 5 page form below, It is particularly important that you fill out all data regarding your racial background, so that in the interests of diversity we may add or subtract 'identity points', when we issue you your final ID. These points may be used for job interviews and price discounts at USPS branches nationwide!!"

Technology

[Redbw6]

I think that devices such as these could work to our advantage but I personally think that with all of this technology we're putting a limit on life and turning ourselves into computers.

Re:USPS Approved Document .... Thank you.

[QuietRiot]

Thank you.

Re:Becuase bribing a Federal Employee is a crime..

We are Federal employees when it benefits the Postal Service and then we are Postal employees when it benefits the POstal Service. Other than that, the Post Office thinks its employees are scum.