Slashdot Mirror
USPS Providing Electronic Postmarks
isn't my name writes "Back in 2000, Clinton signed the ESIGN Legislation which set forth the requirements for making electronic signatures. But many questioned the weakness of its definitions that allowed an e-mail address to be used as an electronic signature. Well, it seems the USPS has come up with something stronger. They even have a Java and MS COM SDK's Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program. It seems that AuthentiDate is doing all the heavy lifting. According to the whitepaper on their site, it provides non-repudiation and legal timestamps of documentation by having the customer use a public-key to sign a hash of the document, which is then sent to AuthentiDate's servers which combine that with a timestamp and sign with their key. So, AuthentiDate does not have access to any of the data in the documentation. It sounds very similar to the free PGP Digital Timestamping Service, but it likely is more likely to be legally defensible in a US Court. They also have a new plug-in for MS Word documents. Interestingly, despite the mention of the SDK and it's ability to work with any documents, the only login setup I could find just allows you to use the MS Word version."
Is calling the service a postmark truly correct in the traditional use of the postal serivce? This just looks like a Government sponsered notary service.
Now if we can get a true email version of registered mail where every server in the chain signs the message, that would be something useful
I make my face look like this and concerned words come out.
You think, that if this were in any way influenced by MS, there would be a Java SDK? MS hates Java.
Just because the first sample implementation is in Word, doesn't imply there is some conspiracy. The USPS probably uses Word internally and wanted to make the sample usefull for them. With the JavaSDK you could use this in Linux, FreeBSD, hell even embedded applications.
Take off your tinfoil hat.
Of course the USPS should sponsor a company to do this.
Much better then just working with the existing projects.
Or maybe it is not completely legal to not to actually use a real pen?
Do you think the guy who signs paycheck in big companies actually uses a pen? or the guy at CompUSA responsible for signing all those mail-in rebates checks ?
As for the guy who receives your fax, unless you slap a 5x5 GIF of your signature on the hi-def document, he'll be hard pressed to know it's not actually written then faxed.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
You could also snail mail yourself a printout.
sig is
somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity
They've already given keys to everybody : it's called the SSN. [sarcasm]Surely if it's a valid enough proof of identity for banks, it's usable as a digital signature by the IRS. Right? Right?[/sarcasm]
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
After perusing the white paper, it looks like the USPS solved this issue by having the user apply online for a digital certificate. Then they print out a form and authenticate themselves at a local post office, then they can download their DC. It's interesting that the post office is probably one of the few federal agencies capable of making this work, due to their presence in every community.
The obvious breakdown with this is that someone could potentially gain access to a user's computer and steal their dc. What about Joe User who runs windows 98 and is unaware of his spyware? It's easily as secure as an old-fashioned signature, though. So maybe that's good enough.
I have to say that it does look like the USPS thought things through rather well on this one. They made it as easy as possible while still focusing on security.
Instead of making clients use java...this should be a simple webservice. Submit a document, get back timestamped document. That way you could do it from pretty much any platform.
Biometrics don't actually scare the pants off identity thieves.
Work for a bank some time, and note how casually and willingly people will be to put their fingerprint on a forged check. Not that you'll know when they try to pass it. Everything will be in order, everything will look right. They won't hesitate to hand you an ID and print.
Then you'll hand them the cash, and a week later the branch will be kicking itself.
maybe they realize that the fingerprint is useless (unless you have a criminal record, there's nothing they can compare it against, and they dont have the horsepower to perform a pre-transaction search through a national database).
maybe they're dumb.
who knows - but a biometric just doesn't bother them. It would however bother piles of citizen's groups, if the government were to start fingerprinting non criminals. well, that's how they'd spin it anyway. and maybe they'd have a point.
what was slashdot's philosophic argument against DRM anyway? treating all your paying customers as potential criminals is bad business?
// "Can't clowns and pirates just -try- to get along?"
This might be a little hypersensitive but I feel a little nervous about putting this signature system in the hands of a company with no proof that the code nor the process is secure. I know OS code is not flawless but at least it can be peer reviewed. Also, what if the company goes out of business. I have no problem with a company managing the sinatures, but I am just a little apprehensive about betting only on the future of a company. Also, this does not seem even a little bit innovative. Essentially they are talking about doing a digital signature. We were doing very similar projects in my CS security class using OS security tools. Digitally signing a hash is nothing new. Maybe I am being naieve, but I don't think so. If I am being naieve, please explain how.
LEPP
-and must not check after the fact
if I'm told i 'signed off on it' and it turns out to be inverted as to meaning, I can then check the raw file, evidence of what was displayed when I signed would be there, or again-- the hash fails the check.
every day http://en.wikipedia.org/wiki/Special:Random
And how long before a Linux version and applicable plug-in is available for OpenOffice.org? I mean, I'd love to be able to take advantage of this type of technology, but until it's ported to Linux, it's of no use to me!
Sun could easily gain a huge advantage for StarOffice (over Microsoft Office) by offering this feature for free in StarOffice. It should be easy to develop and very cheap to provide.
Perhaps a simple timestamp/hash version could be included in the free OpenOffice, with a more advanced certificate based or user-ID authenticated option in StarOffice.
This would also be perfect for Adobe to offer for Acrobat PDF files.
If free and non-proprietary, it would quickly become a popular standard, and perhaps THE standard.