Slashdot Mirror

← Back to Stories (view on slashdot.org)

USPS Providing Electronic Postmarks

Posted by CowboyNeal on from the trust-the-post-office dept.

isn't my name writes "Back in 2000, Clinton signed the ESIGN Legislation which set forth the requirements for making electronic signatures. But many questioned the weakness of its definitions that allowed an e-mail address to be used as an electronic signature. Well, it seems the USPS has come up with something stronger. They even have a Java and MS COM SDK's Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program. It seems that AuthentiDate is doing all the heavy lifting. According to the whitepaper on their site, it provides non-repudiation and legal timestamps of documentation by having the customer use a public-key to sign a hash of the document, which is then sent to AuthentiDate's servers which combine that with a timestamp and sign with their key. So, AuthentiDate does not have access to any of the data in the documentation. It sounds very similar to the free PGP Digital Timestamping Service, but it likely is more likely to be legally defensible in a US Court. They also have a new plug-in for MS Word documents. Interestingly, despite the mention of the SDK and it's ability to work with any documents, the only login setup I could find just allows you to use the MS Word version."

51 of 164 comments (clear)

  1. Something Similiar by Dark+Paladin · · Score: 5, Interesting

    I've been working on something similiar for another division of the US government.

    The biggest thing driving this are two issues:

    1. Government Paperwork Eliminiation Act - signed by Clinton, it basically tells the various agencies:
    1. "reduce paperwork by having forms available online".
    2. "When possible, have those forms electronically signed."

    The problem is that most government agencies, except maybe the IRS, and then in limited form, really don't have any kind of system set up for doing #2. They're getting pretty good at #1 (having documents available online), but #2 has been a challenge.

    The biggest challenge is initial setup. For the Department of Agriculture, you can do electronic signatures over the web. But first you must physically show up at one of their offices, validate your identify, and then you're good to go.

    That works all right for them, but suppose you're somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity which means having them show up at a local office (long lines and all). Then there's the issue of what system to use, validation procedures, how to keep Joe American from forgetting their password, and if they lose it, how do they get it back in a way that's secure and doesn't cost a lot of money?

    2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.

    Honest.

    So by having electronic signatures, they can reduce paperwork, install workflow systems so that when a document is digitally signed it can be forwarded right to the people who need to see it to be reviewed in minutes instead of days, without all the messy paper getting lost and so on.

    I'll probably be checking out the USPS's system to see what they do. If it's reasonable, secure, ensures privacy, and truly has an open API that would allow other agencies to develop systems based on it, it may be the electronic signature "standard" that some government agencies are looking for.

    Guess I'd better RTFA now ;).

    --
    52 Weeks, 52 Religions with John Hummel
    1. Re:Something Similiar by Rosco+P.+Coltrane · · Score: 2, Insightful

      somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity

      They've already given keys to everybody : it's called the SSN. [sarcasm]Surely if it's a valid enough proof of identity for banks, it's usable as a digital signature by the IRS. Right? Right?[/sarcasm]

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:Something Similiar by chefbb · · Score: 5, Insightful

      After perusing the white paper, it looks like the USPS solved this issue by having the user apply online for a digital certificate. Then they print out a form and authenticate themselves at a local post office, then they can download their DC. It's interesting that the post office is probably one of the few federal agencies capable of making this work, due to their presence in every community.

      The obvious breakdown with this is that someone could potentially gain access to a user's computer and steal their dc. What about Joe User who runs windows 98 and is unaware of his spyware? It's easily as secure as an old-fashioned signature, though. So maybe that's good enough.

      I have to say that it does look like the USPS thought things through rather well on this one. They made it as easy as possible while still focusing on security.

    3. Re:Something Similiar by vaguelyamused · · Score: 3, Informative
      Actually the Postal Service is not really privatized. The Postmaster General is still an appointed position, they do not pay taxes to local or federal governments nor abide by labor standards set forth for private companies. That said their budget is entirely seperate from the federal budget, they receive absolutely no tax money and are expected to be self-sufficient. Their employees are federal workers in the civil service system however and are entitled to all benefits as such.

      The aren't allowed to keep all of their profits either though. In years they make too much money the federal government takes most of it for general revenue. Additionally the USPS has to comply with all kinds of draconian rules set by Congress (see Franking privileges).

      So you see they aren't privatized, their leadership is federally appointed and the workers federal employees but the USPS is not completely integrated into the federal government (like..say..the Park Service).

      --
      STOP ROCK VIDEO
  2. Word only irrelevant by Esteanil · · Score: 5, Interesting

    That it's word only ATM (as far as I also can find out from the site) is irrelevant... Well, nearly so. With the Java SDK any application from any OS appearently can easily be enhanced with their Electronic Postmark capabilities.
    What I'm wondering about is the "Nationwide reach and trust" point they list in "Benefits of EPM".
    Does the strong encryption make it illegal to use this for international communications?

    --
    I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
    1. Re:Word only irrelevant by lwsimon · · Score: 3, Interesting

      Does the strong encryption make it illegal to use this for international communications

      Good point, i'll research it and check back by tonight... Would be quite ironic if USPS was a "weapons exporter" via the downloads on its site :)

      --
      Learn about Photography Basics.
  3. The sooner they get this working the better... by MrRTFM · · Score: 5, Interesting

    I am sick and tired of having to FAX my damn signature around the place

    1. print the form
    2. sign it
    3. scan it
    4. fax it

    I mean, come on - how outdated is this method?
    If the Banks let us use online banking to transfer all our money around, surely a digital signature system can be built.

    But then, I am not an encryption expert so what do I know.

    --
    You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
    1. Re:The sooner they get this working the better... by Rosco+P.+Coltrane · · Score: 2, Interesting

      This may help you:

      1 - Open document in Gimp or PS
      2 - Sign it with your mouse (tricky) or your graphic tablet (well worth the investment, if only for this application)
      3 - print document to fax printer device

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:The sooner they get this working the better... by WARM3CH · · Score: 2, Interesting

      Or even better: just insert a previousely scanned photo of your signature. Or maybe it is not completely legal to not to actually use a real pen? ;)

    3. Re:The sooner they get this working the better... by AndroidCat · · Score: 3, Interesting
      I've always wondered what loony descided that faxing a signature was in any way secure. Possibly it was mildly secure when there were only fax machines and no computers with fax modems, scanners and editing software. (Although a literal cut'n'paste would still foil it back then.)

      I've got a contract that I have "sign" with this idiotic method today. Joy, but they're paying me so... Has "fax signing" stood up to any real test in court?

      As for this new method .. can't be worse.

      --
      One line blog. I hear that they're called Twitters now.
    4. Re:The sooner they get this working the better... by Rosco+P.+Coltrane · · Score: 2, Insightful

      Or maybe it is not completely legal to not to actually use a real pen?

      Do you think the guy who signs paycheck in big companies actually uses a pen? or the guy at CompUSA responsible for signing all those mail-in rebates checks ?

      As for the guy who receives your fax, unless you slap a 5x5 GIF of your signature on the hi-def document, he'll be hard pressed to know it's not actually written then faxed.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    5. Re:The sooner they get this working the better... by Rosco+P.+Coltrane · · Score: 5, Interesting

      (Dont mind me - I've had a personal vendetta against fax verification since 1996)

      I'm with you right there.

      Anyway, it doesn't matter much, because since everybody requires people to sign this or that, signatures aren't worth crap anymore. For example, I signed someone else's $1200 credit card slip once (my boss', he had used his credit card to stick me in a hotel for 1 month on a business trip, but left before me, so I signed it myself when I checked out) : I didn't know his signature, so I just used mine. Totally and obviously not his name at all. Neither the hotel nor his bank never said anything at all. They only check if the account holder complains.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    6. Re:The sooner they get this working the better... by sangreal66 · · Score: 2, Informative

      You're faxing it anyway so it will be printed on the other end regardless

    7. Re:The sooner they get this working the better... by trentblase · · Score: 2, Interesting

      Faxing is still better than what a small merchant does when you place an order over the phone. They write "phone order" on the slip.

  4. That's a lot of keys by MadSweeper · · Score: 5, Interesting

    My only comment to this is that fact that for it to really work each person who uses it will need a (public) key. In order for that to work you need to validate the users' identity.
    Does this mean that I will goto my local post office and sign-up, get I&A (Identification and Authentication) done and then get my key?
    Are the keys real public keys ie: PKIX and PKCS standards?

    1. Re:That's a lot of keys by Dark+Paladin · · Score: 3, Interesting

      Most likely, yes. If they do it right, you should fill out a form online, get some sort of number or perhaps a barcode print out, take it to a USPS center where they will validate you with a picture ID (Drivers license), then give you access to your keys, perhaps through a username/password combination.

      Why this way? Remember: lying to the post office is a Federal Offense, and can get you jail time. That's why they like the whole "make you show up" concept: it (should) keep people from being naughty, especially if they take the extra step and request a fingerprint or some other biometric that will scare the pants off of most would-be identity thieves.

      --
      52 Weeks, 52 Religions with John Hummel
    2. Re:That's a lot of keys by MadSweeper · · Score: 3, Interesting

      As you say: If they do it right
      I have been dealing with PKI for 7 years now and still have not seen an implementation that would work on a large scale. It works in corporations where there aren't that many people.
      I suppose we should look at how different Revenue Departments do it. I know that there are countries that allow its citizens to submit their tax returns across the internet. However, many of these system don't use a real PKI.

      One of the questions that I have been strugling with is the usability of current PKI systems. Technology exists to do wonderful things (not just in PKI) but the general public is not able to, or does not want to, understand and/or use it.

      Oh yeah, regarding Banks. They don't use it and they just put the burden on the customer by saying you are using this system at your own risk...

    3. Re:That's a lot of keys by *weasel · · Score: 4, Insightful

      Biometrics don't actually scare the pants off identity thieves.

      Work for a bank some time, and note how casually and willingly people will be to put their fingerprint on a forged check. Not that you'll know when they try to pass it. Everything will be in order, everything will look right. They won't hesitate to hand you an ID and print.

      Then you'll hand them the cash, and a week later the branch will be kicking itself.

      maybe they realize that the fingerprint is useless (unless you have a criminal record, there's nothing they can compare it against, and they dont have the horsepower to perform a pre-transaction search through a national database).

      maybe they're dumb.

      who knows - but a biometric just doesn't bother them. It would however bother piles of citizen's groups, if the government were to start fingerprinting non criminals. well, that's how they'd spin it anyway. and maybe they'd have a point.

      what was slashdot's philosophic argument against DRM anyway? treating all your paying customers as potential criminals is bad business?

      --
      // "Can't clowns and pirates just -try- to get along?"
  5. Word Macros by Anonymous Coward · · Score: 3, Interesting

    Actually Word is not suitable for the purpose anyway. A word document may contain macros and scripting which change the way the content is rendered *after* it is signed.

    So be very careful when you trust a digital signature on a word document, next week it may say something quite different...

    1. Re:Word Macros by Esteanil · · Score: 2, Informative

      "only a hash code of the file is logged as evidence of authenticity." -About EPM

      Tampering by a macro or script would change the file, thereby making it incompatible with the hash, no?

      --
      I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
  6. Timing issues by kjdames · · Score: 3, Interesting

    I think depending on a regulated email system like this to prove legal timestamping is foolish. Any number of things can delay an email - would you send your taxes by email five minutes before they were due? If a late timestamp meant a fine?

    --

    Typos... that's just how I role.

    1. Re:Timing issues by Rosco+P.+Coltrane · · Score: 4, Funny

      would you send your taxes by email five minutes before they were due? If a late timestamp meant a fine?

      Simple: chose a USPS signature server located on the west coast ;-)

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  7. Is it really a postmark? by manganese4 · · Score: 3, Insightful

    Is calling the service a postmark truly correct in the traditional use of the postal serivce? This just looks like a Government sponsered notary service.

    Now if we can get a true email version of registered mail where every server in the chain signs the message, that would be something useful

    --
    I make my face look like this and concerned words come out.
  8. Registering your code.. by wfberg · · Score: 5, Interesting

    You know, using such a service to put a date on your sourcecode is a good idea in case you ever end up having to prove when you first coded it (or at least, had it in your possesion); for example, if you need to go after a company stealing your code (GPL non-compliance) or if a company comes after you (SCO?).

    --
    SCO employee? Check out the bounty
    1. Re:Registering your code.. by dimitri_k · · Score: 2, Insightful

      You could also snail mail yourself a printout.

      --
      sig is
  9. What did you not get about "Java SDK" ? by brunes69 · · Score: 4, Insightful

    You think, that if this were in any way influenced by MS, there would be a Java SDK? MS hates Java.

    Just because the first sample implementation is in Word, doesn't imply there is some conspiracy. The USPS probably uses Word internally and wanted to make the sample usefull for them. With the JavaSDK you could use this in Linux, FreeBSD, hell even embedded applications.

    Take off your tinfoil hat.

  10. Government waste by nuggz · · Score: 2, Insightful

    Of course the USPS should sponsor a company to do this.
    Much better then just working with the existing projects.

    1. Re:Government waste by kiwimate · · Score: 2, Informative

      Or they could license the technology from a company who's got some experience in doing this. I don't know how long Silanis has been doing this, but I first came across their digital signature software in 2000, so they ought to know something about the thing. Their web site claims:

      Compliance with federal and state legislation and industry regulations, including the ESIGN Act, UCC, UETA and the FDA's 21 CFR Part 11

  11. SDK ... Free? by MisanthropicProggram · · Score: 2, Interesting

    I couldn't find any price quote for the SDK: just a contact. I'm assuming with the USPS' budget problems, that they'll charge for this.
    Does anyone know if they're charging and how much?

    --

    There is no spoon or sig.

  12. Too expensive by kindofblue · · Score: 4, Interesting
    For what the timstamping service actually does, it costs way, way, way too much. It cost 80 cents per email, 10 cents in bulk. This is super trivial; it should cost 1 or 2 cents, and yahoo mail or hotmail could do it for free. I don't see what Authentidate offers, other than a countersignature with a private key, timeserver, and a hash.

    And of course, there is a free PGP timestamping service, but unfortunately, that does not have the backing of the USPS.

    Anyone know of something similar that is cheap?

    1. Re:Too expensive by chefbb · · Score: 2, Informative

      Authentidate gives the hash/timestamp the creedence of a 3rd party witness. They keep track of your hash and assign your stamp. I agree that if the purpose was to simply timestamp or a signature, it would be overkill. For documents where proving "who, what and when" are absolutely necessary, you need an unbiased (i know, it's the gov't) 3rd party.

  13. Want to do this now as an end user ? by j_dot_bomb · · Score: 3, Informative

    Want to do this now as an end user ?
    go to http://www.getstamped.com/

  14. Copyrights and "proof of prior method" by atcurtis · · Score: 4, Interesting

    I know that a lot of people reading /. hates copyrights and patents... but of these digital postmarks stand up in court, they can be of great benefit to individuals and small entrprenurs in their efforts to compete with 'the big guys'

    People can publish their ideas, essays, music on the internet complete with a copy of the digital postmark, and should a big fish try to patent or claim copyright or patent on the material, the small-time individual can point at the digital postmask and prove their ownership.

    I personally would support this... I would love to be able to share some of the ideas I have - but I do not want someone else to come along and try to patent them or claim that it was their's first. Such a digital postmark would give me the confidence to share ... and possibly give others the confidence to share their creations.

    Just my 2cents worth.

    --
    -- The universe began. Life started on a billion worlds...
    -- Except on one where stupidity was there first.
  15. Adobe coming by Groo+Wanderer · · Score: 2, Informative

    I talked to the PR people and a hardcore tech from the company at Comdex. I bitched them out about the MS only, and used the usual arguements. One of the things they said was that linux support was on the list, and more importantly, the next version of Adobe products would support thier tech. I know Acrobat was on the list, but I don't remember if the rest of their programs were.

    I guess it is time to start writing all those people I got cards from at Comdex and write an article on this :).

    -Charlie

  16. How bout a webservice by Anonymous Coward · · Score: 3, Insightful

    Instead of making clients use java...this should be a simple webservice. Submit a document, get back timestamped document. That way you could do it from pretty much any platform.

    1. Re:How bout a webservice by ericspinder · · Score: 2, Interesting
      I don't think that is ever the intention for them to ever handle your documents, from the site:
      Data stays private. Service never has access to your content and requires no modification or transmission of content. (only a hash code of the file is logged as evidence of authenticity.)
      However, from what I see you need to sign into the website and upload you hashcode for registration, and that would be a good function for webservices (and micropayments or microcharges!). On another note the Java SDK seem like vaporware, I can find it anywhere! Even the Authentidate website(the USPS's "partner" in this venture), doesn't seem to have it.
      --
      The grass is only greener, if you don't take care of your own lawn.
  17. is it public or open source? by LEPP · · Score: 2, Insightful

    This might be a little hypersensitive but I feel a little nervous about putting this signature system in the hands of a company with no proof that the code nor the process is secure. I know OS code is not flawless but at least it can be peer reviewed. Also, what if the company goes out of business. I have no problem with a company managing the sinatures, but I am just a little apprehensive about betting only on the future of a company. Also, this does not seem even a little bit innovative. Essentially they are talking about doing a digital signature. We were doing very similar projects in my CS security class using OS security tools. Digitally signing a hash is nothing new. Maybe I am being naieve, but I don't think so. If I am being naieve, please explain how.

    LEPP

  18. "Wanishing ink" by GQuon · · Score: 4, Interesting

    Tampering by a macro or script would change the file, thereby making it incompatible with the hash, no?

    Not necessarlity. If you have a macro that re-writes the document, the hash would change, and the tampering would be caught.

    But: If you make a macro that doesn't change the contents of the file, but rather a macro that changes just the view, the hash would be the same.For example: You write a document that contains both correct and false information. Before a certain time, the correct information is shown. If you open the document after a specified date, the macro changes what is shown to the reader.

    For this wanishing ink to work
    - it must be possible to write such a macro.
    - the reader must trust all macros.
    - the reader must not be savvy enough to examine the raw word file.

    --
    Irene KHAAAAAAN!
    1. Re:"Wanishing ink" by way2trivial · · Score: 2, Insightful

      -and must not check after the fact
      if I'm told i 'signed off on it' and it turns out to be inverted as to meaning, I can then check the raw file, evidence of what was displayed when I signed would be there, or again-- the hash fails the check.

      --
      every day http://en.wikipedia.org/wiki/Special:Random
  19. Digital signature implementation in UK by sufehmi · · Score: 3, Interesting

    In UK, the move to digital signature was pioneered by Inland Revenue (IRS for Americans). The Government's Gateway provides the digital certificate, which then can be used to digitally sign online forms.

    However there were concerns that the implementation is too proprietary, risking dependence to few vendors. Considering what the Gateway's doing, I think these concerns are valid.

    There were also little silliness along the way, such as the 50 poundsterling discount by Inland revenue (IRS for Americans) if you submit your tax online and sign it with your certificate BUT the certificate itself cost 50 poundsterling as well, etc.

    But I haven't followed it for quite a while now, hopefully things are better now.

  20. Err. . . copyright registration by Anonymous Coward · · Score: 2, Informative

    Umm, well, if you are worried about that, just register your code with the U.S. Copyright Office - that is the whole reason for the Copyright Office's existence - to register copyrights and provide legal recognition that every court MUST accept, that you registered copyright on something on a certain date (granted it doesn't prove you actually OWN the code you copyrighted - see e.g. groklaw.net articles about how both Novell and SCO claim to have registered the copyrights for ATT Unix with the copyright office).

    That is the legally RECOGNIZED way to 'timestamp' your code. By sending it to the copyright office.

  21. What PGP Corporation has to say about it by Betabug · · Score: 5, Informative

    There is an article by PGP Corporations CTO Jon Callas about it. His tagline is "Do we need another version of digital timestamps?"

    What he has to say looks like plain common sense to me:

    • requires Windows xP/Office 2003 - expensive
    • requires purchasing a certificate, which is not really necessary for a timestamping service
    • the price seems high

    His conclusion: "To me, this seems like a solution in search of a problem." He even mentions open standard file formats. Nice read.

  22. Signing as well as timestamping by isn't+my+name · · Score: 5, Interesting

    In the protocol descriptions, the customer who wants to sign a document first produces a hash and signs that. That is sent to the USPS who combines it with a timestamp and then signs the whole thing.

    So, you can verify the persons signature and verify the time that it was submitted for an electronic postmark. Based on the language in their whitepaper, they are really looking at setting up a system that is as legally strong in court as a physical signed document.

    I do wonder about the fact that they are only keeping the verification data online for seven years, though.

  23. SDK Download Request Location by isn't+my+name · · Score: 3, Informative

    Before submitting the article, I e-mailed to ask about this and the pricing. Did not get a response until after I had submitted to Slashdot, but here is the link for requesting an SDK.

    And here is the link for pricing. Note, I was told that the introductory pricing period has passed and I was also told that the entire website was due for an update in the next week or two. Had I known that when I submitted the Slashdot article, I would have waited a bit. Maybe a good slashdotting will get a redesign that can handle a heavy load. :)

  24. Linux Version? by gsperling · · Score: 2, Insightful

    And how long before a Linux version and applicable plug-in is available for OpenOffice.org? I mean, I'd love to be able to take advantage of this type of technology, but until it's ported to Linux, it's of no use to me!

  25. What happened to certified email? by Hiroto.+S · · Score: 2, Informative
    Talking about USPS, whatever happened to the certificate service they once started?

    USPS delivers a digital, signature-certified mail system

    It is no where to be found in usps.gov anymore.

  26. Link to request Java SDK by isn't+my+name · · Score: 2, Informative

    I e-mailed for more info and was provided this link to request a Java SDK:

    https://www.uspsepm.com/crm/sdkRegister.adate

  27. USPS - Gov't or Microsoft? by provoix · · Score: 2, Interesting

    Can somebody explain to me how a Microsoft Advertisement landed itself on a Government website (https://www.uspsepm.com/epm/epm_office_ext/index. htm)? The domain is owned by the USPS. Am I missing something here? I was under the impression that commercial advertising was not permitted on government help domains...

  28. The scariest thing: by Pig+Hogger · · Score: 2, Interesting
    Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program.
    Scariest shit is that spammers may start to send EPMed spams that it would be CRIMINAL to block.

    No more blocklists a la SPEWS...

  29. This should be free in Star/OpenOffice or PDFs by dalesun · · Score: 2, Insightful

    Sun could easily gain a huge advantage for StarOffice (over Microsoft Office) by offering this feature for free in StarOffice. It should be easy to develop and very cheap to provide.

    Perhaps a simple timestamp/hash version could be included in the free OpenOffice, with a more advanced certificate based or user-ID authenticated option in StarOffice.

    This would also be perfect for Adobe to offer for Acrobat PDF files.

    If free and non-proprietary, it would quickly become a popular standard, and perhaps THE standard.

  30. GPGNotary 1.0 by todu · · Score: 2, Informative

    I once had a very similar idea and developed a working perlscript implementation. But I never had the time to release it officially. So if someone is interested in a free (as in freedom aswell as gratis) timestamping service you may download my package from the below link and email me comments:

    http://bokstavera2.sourceforge.net/GPGNotary-1_0.t ar.gz
    (remove the space in the link).