Slashdot Mirror
USPS Providing Electronic Postmarks
isn't my name writes "Back in 2000, Clinton signed the ESIGN Legislation which set forth the requirements for making electronic signatures. But many questioned the weakness of its definitions that allowed an e-mail address to be used as an electronic signature. Well, it seems the USPS has come up with something stronger. They even have a Java and MS COM SDK's Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program. It seems that AuthentiDate is doing all the heavy lifting. According to the whitepaper on their site, it provides non-repudiation and legal timestamps of documentation by having the customer use a public-key to sign a hash of the document, which is then sent to AuthentiDate's servers which combine that with a timestamp and sign with their key. So, AuthentiDate does not have access to any of the data in the documentation. It sounds very similar to the free PGP Digital Timestamping Service, but it likely is more likely to be legally defensible in a US Court. They also have a new plug-in for MS Word documents. Interestingly, despite the mention of the SDK and it's ability to work with any documents, the only login setup I could find just allows you to use the MS Word version."
I've been working on something similiar for another division of the US government.
;).
The biggest thing driving this are two issues:
1. Government Paperwork Eliminiation Act - signed by Clinton, it basically tells the various agencies:
1. "reduce paperwork by having forms available online".
2. "When possible, have those forms electronically signed."
The problem is that most government agencies, except maybe the IRS, and then in limited form, really don't have any kind of system set up for doing #2. They're getting pretty good at #1 (having documents available online), but #2 has been a challenge.
The biggest challenge is initial setup. For the Department of Agriculture, you can do electronic signatures over the web. But first you must physically show up at one of their offices, validate your identify, and then you're good to go.
That works all right for them, but suppose you're somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity which means having them show up at a local office (long lines and all). Then there's the issue of what system to use, validation procedures, how to keep Joe American from forgetting their password, and if they lose it, how do they get it back in a way that's secure and doesn't cost a lot of money?
2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.
Honest.
So by having electronic signatures, they can reduce paperwork, install workflow systems so that when a document is digitally signed it can be forwarded right to the people who need to see it to be reviewed in minutes instead of days, without all the messy paper getting lost and so on.
I'll probably be checking out the USPS's system to see what they do. If it's reasonable, secure, ensures privacy, and truly has an open API that would allow other agencies to develop systems based on it, it may be the electronic signature "standard" that some government agencies are looking for.
Guess I'd better RTFA now
52 Weeks, 52 Religions with John Hummel
That it's word only ATM (as far as I also can find out from the site) is irrelevant... Well, nearly so. With the Java SDK any application from any OS appearently can easily be enhanced with their Electronic Postmark capabilities.
What I'm wondering about is the "Nationwide reach and trust" point they list in "Benefits of EPM".
Does the strong encryption make it illegal to use this for international communications?
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
I am sick and tired of having to FAX my damn signature around the place
1. print the form
2. sign it
3. scan it
4. fax it
I mean, come on - how outdated is this method?
If the Banks let us use online banking to transfer all our money around, surely a digital signature system can be built.
But then, I am not an encryption expert so what do I know.
You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
My only comment to this is that fact that for it to really work each person who uses it will need a (public) key. In order for that to work you need to validate the users' identity.
Does this mean that I will goto my local post office and sign-up, get I&A (Identification and Authentication) done and then get my key?
Are the keys real public keys ie: PKIX and PKCS standards?
Actually Word is not suitable for the purpose anyway. A word document may contain macros and scripting which change the way the content is rendered *after* it is signed.
So be very careful when you trust a digital signature on a word document, next week it may say something quite different...
I think depending on a regulated email system like this to prove legal timestamping is foolish. Any number of things can delay an email - would you send your taxes by email five minutes before they were due? If a late timestamp meant a fine?
Typos... that's just how I role.
You know, using such a service to put a date on your sourcecode is a good idea in case you ever end up having to prove when you first coded it (or at least, had it in your possesion); for example, if you need to go after a company stealing your code (GPL non-compliance) or if a company comes after you (SCO?).
SCO employee? Check out the bounty
I couldn't find any price quote for the SDK: just a contact. I'm assuming with the USPS' budget problems, that they'll charge for this.
Does anyone know if they're charging and how much?
There is no spoon or sig.
And of course, there is a free PGP timestamping service, but unfortunately, that does not have the backing of the USPS.
Anyone know of something similar that is cheap?
I know that a lot of people reading /. hates copyrights and patents... but of these digital postmarks stand up in court, they can be of great benefit to individuals and small entrprenurs in their efforts to compete with 'the big guys'
... and possibly give others the confidence to share their creations.
People can publish their ideas, essays, music on the internet complete with a copy of the digital postmark, and should a big fish try to patent or claim copyright or patent on the material, the small-time individual can point at the digital postmask and prove their ownership.
I personally would support this... I would love to be able to share some of the ideas I have - but I do not want someone else to come along and try to patent them or claim that it was their's first. Such a digital postmark would give me the confidence to share
Just my 2cents worth.
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
Tampering by a macro or script would change the file, thereby making it incompatible with the hash, no?
Not necessarlity. If you have a macro that re-writes the document, the hash would change, and the tampering would be caught.
But: If you make a macro that doesn't change the contents of the file, but rather a macro that changes just the view, the hash would be the same.For example: You write a document that contains both correct and false information. Before a certain time, the correct information is shown. If you open the document after a specified date, the macro changes what is shown to the reader.
For this wanishing ink to work
- it must be possible to write such a macro.
- the reader must trust all macros.
- the reader must not be savvy enough to examine the raw word file.
Irene KHAAAAAAN!
In UK, the move to digital signature was pioneered by Inland Revenue (IRS for Americans). The Government's Gateway provides the digital certificate, which then can be used to digitally sign online forms.
However there were concerns that the implementation is too proprietary, risking dependence to few vendors. Considering what the Gateway's doing, I think these concerns are valid.
There were also little silliness along the way, such as the 50 poundsterling discount by Inland revenue (IRS for Americans) if you submit your tax online and sign it with your certificate BUT the certificate itself cost 50 poundsterling as well, etc.
But I haven't followed it for quite a while now, hopefully things are better now.
There's probably a sourcecode escrow service like that somewhere (perhaps sourceforge?), or you can register it with the US copyright agency, whatever it's called (as a literary work).
The WGA (Writer's Guild of America) lets you email in a file in whatever format, they timestamp it and will support you in court, let you download it whenever (as a backup).
I believe it's free if you're a member, or ~50 US$ otherwise, but I'm not sure how long they keep it. At least 10 years, and I think more like 30 or 50.
In the protocol descriptions, the customer who wants to sign a document first produces a hash and signs that. That is sent to the USPS who combines it with a timestamp and then signs the whole thing.
So, you can verify the persons signature and verify the time that it was submitted for an electronic postmark. Based on the language in their whitepaper, they are really looking at setting up a system that is as legally strong in court as a physical signed document.
I do wonder about the fact that they are only keeping the verification data online for seven years, though.
The grass is only greener, if you don't take care of your own lawn.
Can somebody explain to me how a Microsoft Advertisement landed itself on a Government website (https://www.uspsepm.com/epm/epm_office_ext/index. htm)? The domain is owned by the USPS. Am I missing something here? I was under the impression that commercial advertising was not permitted on government help domains...
No more blocklists a la SPEWS...