Slashdot Mirror
USPS To Provide Personal Identity Certification
Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...
Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication. Last time I heard about it, it was being scrapped due to a lack of demand.
"Light is faster than sound." - "Is that why people tend to look bright until you hear them speak?"
Other than that, I'm sure it'll be great. When will my local branch (literally in a small town in Nebraska) have their PKI training day?
Dewey, what part of this looks like authorities should be involved?
Sounds like an opourtunity to charge us. This seems a lot like the door opening for the postal service's charging to send emails. Why else would they be offering to develop this amazing technology? To make our lives better?
future shocked
Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery? Not that I'm "totally" against such a system, but it seems like they are misrepresenting the true nature of this.
what good is a digital signature verified by the Post Office if you are unable to.......... speak?
Mike.
Mmmm......sacrelicious.
Just a comment about the "Funny, they don't seem to always know where to deliver so-called first-class mail ..." remark.
Have I had mail lost? Yes. Is it annoying? Yes.
But, think about how amazing it is about what the USPS does right. It moves billions of pieces of mail every day, and almost all of it (percentage wise) gets to where it should be going in spite of the fact that not every piece of mail can be automatically routed and multiple people end up looking at it at one point or another. And, in spite of the price increases, I can still send a letter anywhere in the US for 37c and it'll usually get there within a 2-3 days.
Sure, dealling with the post office is a pain occasionally, and they do lose some mail. But, when I think about the scope and scale of what they do right, it does boggle my mind.
I hear ya there.
The USPS could learn a thing or two about accuracy and error-prevention from Slashdot.
fnord
Obliteracy: Words with explosions
I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.
Seems pretty secure to me.
The only thing it works for so far is tax stuff, and mail.
still reading?
The USPS' idea for certified proofing for digital signatures is in the right direction for securing financial transactions, helping to prevent spam (in the case of accepting emails only e-signed from registered people), but initiating such a project will bring the US closer to a National ID card.
/required/ to register with the USPS in order to take advantage of the online filings with the IRS. Sure, but what if people just file in paper? Without a doubt, the government will then ad a fee to paper filings to encourage taxpapers (everyone) to register with the USPS service.
By attaching services such as online tax refunds or filings, the public will be
Let me see your papers, please!
2.1 Eligibility For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Postal policy includes: 1. Use of a Patriot Act compliant database vetting process to gain initial assurance of an applicant's identity before sending the applicant to the Postal Office for IPP.
Yay, more data to shove into the Patriot Act machine. What a bargin!
Agent: (slowly) May I help you?
User: I'd like to get a certified digital ID.
Agent: (slowly) Okay, please go to the back of the room and fill out form 2219. When you're done, please bring it back to the front.
User searches a while
User: Where's the form?!
Agent: (slowly) If it's not there, we're out. You can always call 1-800-ASK-USPS for more information.
User: But they told me to come here! You have to verify my ID!
Agent: (very slowly) I'm sorry, you'll have to speak to the manager. He's gone for the day. You'll have to come back Monday at 10 am.
User: AAAAIIIEEEEEEE!!!!! runs screaming from the post office
Yeah, this will be a big hit.
Definitely Verisign. The USPS doesn't think it's funny when they accidentally release your property to someone else (see also: sex.com). In fact, rumor has it that having the Postal Inspectors storm your house is not as funny as it sounds (i.e., 30 guys in attack armor carrying assault rifles vs. 5 guys like Cliff from "Cheers").
Dewey, what part of this looks like authorities should be involved?
I swear on my grandmother grave that I saw "In-Person Shooting" when I first read it.
A few less FPS games for me, I think. More Super Mario Sunshine and Animal Crossing for a while.
Well, I have a 5-day weekend ahead of me. You all play nice.
--- Ban humanity.
This is just what I've been looking for!
(start playing the sad story music, if you have any - Michael Jackson stuff will work real well here)
You see, I've had sort of an identity crisis - not really sure who I am. The post office can finally change that. They can authenticate me, and authenticate who I am. No more wandering willy-nilly.
(at this point please begin playing some patriotic music to get the full effect of the message)
With the post office as my guide, I will rise to the brink of a better tomorrow and boldly go forth to face my dreams because I am authenticated!
Thankyou, US post office. The world is in your debt.
Mod me down and I will become more powerful than you can possibly imagine!
1) How well will this work with other authtication techniques? (ie. if other postal systems start this, will there be interoperability? If so, who coordinates this?)
2) How good is the procedure to replace a lost/stolen certificate?
3) What good is this for people not in the US?
4) If someone lives in the US, gets one of these, and then moves, can it still be updated/replaced?
5) I forget the other question.
Granted, I only skimmed the article, so I may have missed the answers, but still....
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
Comment removed based on user account deletion
Great. Just great. Now I get to deal with the Post Office and Verisign when I want to lock down an SSL site.
Please shoot me.
Dewey, what part of this looks like authorities should be involved?
I hate X.509. It's cumbersome and weird (that extra 'cert request' step), while also being functionally lame (only one signature, and you have to either completely trust it or not). Why anyone would want to use that when there's something so much better available (OpenPGP), is beyond me.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Actually a division of the US DOD? Bullshit. From the USPS web site:
United States Postal Service
The Post Office Department was transformed into the United States Postal Service, an independent establishment of the executive branch of the Government of the United States. The mission of the Postal Service remained the same, as stated in Title 39 of the U.S. Code: "The Postal Service shall have as its basic function the obligation to provide postal services to bind the Nation together through the personal, educational, literary, and business correspondence of the people. It shall provide prompt, reliable, and efficient services to patrons in all areas and shall render postal services to all communities."
The new Postal Service officially began operations on July 1, 1971. At that time, the Postmaster General left the Cabinet, and the Postal Service received:
* Operational authority vested in a Board of Governors and Postal Service executive management, rather than in Congress.
* Authority to issue public bonds to finance postal buildings and mechanization.
* Direct collective bargaining between representatives of management and the unions.
* A new rate-setting procedure, built around an independent Postal Rate Commission.
Title 39, the Postal Reorganization Act, also vested direction of the powers of the Postal Service in an 11-member Board of Governors. Nine members (the Governors) are appointed by the President, by and with the advice and consent of the Senate. They serve staggered nine-year terms, and no more than five Governors may belong to the same political party. Governors are chosen to represent the public interest generally, may not represent specific interests using the Postal Service, and may be removed only for cause.
Complaints will be handled by people too slow to work at the Department of Motor Vehicles.
I repeat the following story every time I hear someone insult a postal worker.
One day I needed to get something in the mail THAT day, and I wasn't able to get down to the post office. I caught the mailman as he was driving up to the mailbox, and handed him the letter. Except I didn't have enough postage- I had forgotten about the rate increase that had happened recently.
Now, if the guy had wanted to be an asshole, he could have refused it- but he said "you got any change? I'll put the extra postage on it when I get in" I had a quarter on me, gave it to him, and was happy that I had probably still spent less money than the gas it would have taken to get to the post office and back.
What bowled me over was that the next day, he parked, came to the door, and handed me change. I was blown away that he bothered for such a small amount, and had expected him to (rightfully, far as I was concerned) pocket the 15-20 cents for the trouble of having to 'buy' and slap on an extra stamp for me.
NOW, if you want to see how patient postal employees are, see what these guys did. It is incredibly funny(the part about the sender trying to argue they should get money BACK for shipping a balloon is hilarious), but there's a serious message in their absurd little experiment(which involved shipping bricks, hammers, dead fish+seaweed, etc), and I'll include their conclusion here:
First, this experiment yielded a 64% delivery rate (18/28), an almost two-thirds success rate. (For our purposes, "delivery" constituted some type of independent handling by the USPS and subsequent contact regarding the object, regardless of whether we got to see or keep the object or whether it arrived whole.) This is astounding, considering the nature of some of the items sent. This compares with a 0% rate of receipt of fully wrapped packages from certain countries of the developing world, such as Peru, Turkey, and Egypt. Admittedly, those were international mailings, and thus not totally comparable; nevertheless, the disparity is striking.
Second, the delivery involved the collusion of sequences of postal workers, not simply lone operatives. The USPS appears to have some collective sense of humor, and might in fact here be displaying the rudiments of organic bureaucratic intelligence.
Finally, our investigation team felt remorse for some of its experimental efforts, most particularly the category "Disgusting," after the good faith of the USPS in its delivery efforts. We sought out as many of the USPS employees who had (involuntarily) been involved in the experiment as we could identify, and gave them each a small box of chocolate.
We, and all scientists, owe a debt of gratitude to these civil servants. Without them, we would have had but little success in pushing the envelope.
Please help metamoderate.
Market droid talk. If they are so good why does the post office need to get into it? Other talk about "demand", "unique service opportunity" and trusted computing has my back up. It's all so Microsoft sounding. But that's just the beginning.
They are going to use "comercial database checking", and the databases must be "Patriot Act Compliant". While the commmercial database check looks like coroprate welfare, it the Patriot act part looks like a land grab. What, besides any old G-man clerk having the athority to look at all of your data, constitues Patriot Act Complience?
The authentication method is first class mail. and a file that dissapears in four years. I'm not going to think very hard about all the ways to defruad the post and defeat this system, but mail fraud is still a common problem. The dissapering file is the real clincher. What "top quality private sector bussines" has a patent on DRM OS and has been touting files that expire as a means to "trusted computing"?
Having a certificate athority is good. Using that need as a means to nationalize software, usurp private databases, funnel tax money into private hands and foce everyone to use propriatory software is not good. The system needs to be run on proven free and open standards in a non-revocable manner.
The USPO is going to have to do better than that to win my trust. I've got one Microsoft machine for talking to an old camera and a scanner. I don't let it see the internet because it's so easy to break and own. Any plan that would force me to use software I don't trust for ecommerce is a plan I don't trust or want.
Two years ago, some moron told me that the US government would make it illegal to run anything but Microsoft software. He actually thought this was a good idea and was convinced it would happen. I told him that would violate the first amendment rights to free speech, and effectivly nationalize general purpose computing and such laws were laughably unAmerican. I'm not laughing anymore.
Someone tell me I'm just paranoid, please.
Friends don't help friends install M$ junk.
I was actually one of the developers of this project (three years ago), and it is funny to see that they are finally "announcing" it.
The idea is simple, and it is actually a useful service that the USPS has the resources to provide, if they actually go through with it. Whereas SSL only authenticates the server (among other things, of course), the allocations for client authentication in SSL are optional and very rarely used. All the client needs for this is its own digital certificate, just like the server has its certificate.
So, to get an SSL certificate, we (whether we like it or not) trust the various CAs to make certain that they are granted to the rightful owners. When it comes to client certificates, the scope of the problem becomes much larger, because you are authenticating people rather than domains. If you fail to properly identify someone before issuing the digital certificate, the point is lost.
The USPS has post offices all over the US (their only country of concern in this case), and this fact provides the perfect platform for authenticating people. Just as with Passports, you must prove your identity in person before being authenticated.
How do the pieces fit together? Well, it is fairly simple, but it involves a lot of existing systems, some of which are aging. You register online (providing much personal information, including what forms of ID you will be bringing with you). This generates a letter that is sent to your address (verifying your address in the process). You take this letter to the post office, and if you pass the in-person proofing, the clerk scans the barcode on the letter. This scan makes its way back to the system in about 24 hours, and then your digital certificate is generated. An email is sent to let you know, and you can then download it from the Web site after logging in.
At any rate, I still think the general idea is a good one, and this would be a useful service for a lot of people. I hope it is successful.
"Funny, they don't seem to always know where to deliver so-called first-class mail ..."
No, not very funny. Rather clueless. Did you know that the USPS has domestic airlines carrying mail?
I can't even count the times I've found stray (or lost) bags of mail in aircraft. One of my many job functions when I worked for a ground handling company was to make sure that mail for Anchorage actually got *on the right aircraft* and didn't wind up on a flight to Miami. We'd actually check behind the belly toolbox on that old nasty DC-8 looking for mail bags.
Ever seen a 55' truck back up to a DC-6? Yes, folks. Bulk loading 33,000lbs of mail into a friggin DC-6 bound for northern Alaska.
Sure, mail gets lost sometimes, but it's not always the fault of the USPS.
Delivery of a two-pound, 20"x15"x2" package from California to London:
UPS: $66 (2-5 days)
FedEx: $65 (4-5 days)
USPS: $15 (4-6 days)
You can guess who I went with. It took four days to get there.
You can never go home again... but I guess you can shop there.
If we can't screen out millions of illegal aliens who manage to come to the U.S. and present documents that are good enough to let them satisfy the government's requirements to prove to an employer that they are eligible to work in the U.S., how is this going to be better? If the answer is "better documents," how come we aren't requiring those better documents to be presented to the employers?
Hong Kong Post office is teaming up with the government to offer the same thing, this has been available for over a year now. Refer to this link.
The Hong Kong Government has recently roll out a renew plan for all citizens to renew their ID card (mandatory, must be on the person at all times). This new ID card is a smart card which also allow storage of digital cert.
Because of this mandatory ID, the cert roll out plan (storage and distribution) is relatively easier than other countries.