Slashdot Mirror

← Back to Stories (view on slashdot.org)

USPS Providing Electronic Postmarks

Posted by CowboyNeal on from the trust-the-post-office dept.

isn't my name writes "Back in 2000, Clinton signed the ESIGN Legislation which set forth the requirements for making electronic signatures. But many questioned the weakness of its definitions that allowed an e-mail address to be used as an electronic signature. Well, it seems the USPS has come up with something stronger. They even have a Java and MS COM SDK's Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program. It seems that AuthentiDate is doing all the heavy lifting. According to the whitepaper on their site, it provides non-repudiation and legal timestamps of documentation by having the customer use a public-key to sign a hash of the document, which is then sent to AuthentiDate's servers which combine that with a timestamp and sign with their key. So, AuthentiDate does not have access to any of the data in the documentation. It sounds very similar to the free PGP Digital Timestamping Service, but it likely is more likely to be legally defensible in a US Court. They also have a new plug-in for MS Word documents. Interestingly, despite the mention of the SDK and it's ability to work with any documents, the only login setup I could find just allows you to use the MS Word version."

27 of 164 comments (clear)

  1. Something Similiar by Dark+Paladin · · Score: 5, Interesting

    I've been working on something similiar for another division of the US government.

    The biggest thing driving this are two issues:

    1. Government Paperwork Eliminiation Act - signed by Clinton, it basically tells the various agencies:
    1. "reduce paperwork by having forms available online".
    2. "When possible, have those forms electronically signed."

    The problem is that most government agencies, except maybe the IRS, and then in limited form, really don't have any kind of system set up for doing #2. They're getting pretty good at #1 (having documents available online), but #2 has been a challenge.

    The biggest challenge is initial setup. For the Department of Agriculture, you can do electronic signatures over the web. But first you must physically show up at one of their offices, validate your identify, and then you're good to go.

    That works all right for them, but suppose you're somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity which means having them show up at a local office (long lines and all). Then there's the issue of what system to use, validation procedures, how to keep Joe American from forgetting their password, and if they lose it, how do they get it back in a way that's secure and doesn't cost a lot of money?

    2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.

    Honest.

    So by having electronic signatures, they can reduce paperwork, install workflow systems so that when a document is digitally signed it can be forwarded right to the people who need to see it to be reviewed in minutes instead of days, without all the messy paper getting lost and so on.

    I'll probably be checking out the USPS's system to see what they do. If it's reasonable, secure, ensures privacy, and truly has an open API that would allow other agencies to develop systems based on it, it may be the electronic signature "standard" that some government agencies are looking for.

    Guess I'd better RTFA now ;).

    --
    52 Weeks, 52 Religions with John Hummel
    1. Re:Something Similiar by chefbb · · Score: 5, Insightful

      After perusing the white paper, it looks like the USPS solved this issue by having the user apply online for a digital certificate. Then they print out a form and authenticate themselves at a local post office, then they can download their DC. It's interesting that the post office is probably one of the few federal agencies capable of making this work, due to their presence in every community.

      The obvious breakdown with this is that someone could potentially gain access to a user's computer and steal their dc. What about Joe User who runs windows 98 and is unaware of his spyware? It's easily as secure as an old-fashioned signature, though. So maybe that's good enough.

      I have to say that it does look like the USPS thought things through rather well on this one. They made it as easy as possible while still focusing on security.

    2. Re:Something Similiar by vaguelyamused · · Score: 3, Informative
      Actually the Postal Service is not really privatized. The Postmaster General is still an appointed position, they do not pay taxes to local or federal governments nor abide by labor standards set forth for private companies. That said their budget is entirely seperate from the federal budget, they receive absolutely no tax money and are expected to be self-sufficient. Their employees are federal workers in the civil service system however and are entitled to all benefits as such.

      The aren't allowed to keep all of their profits either though. In years they make too much money the federal government takes most of it for general revenue. Additionally the USPS has to comply with all kinds of draconian rules set by Congress (see Franking privileges).

      So you see they aren't privatized, their leadership is federally appointed and the workers federal employees but the USPS is not completely integrated into the federal government (like..say..the Park Service).

      --
      STOP ROCK VIDEO
  2. Word only irrelevant by Esteanil · · Score: 5, Interesting

    That it's word only ATM (as far as I also can find out from the site) is irrelevant... Well, nearly so. With the Java SDK any application from any OS appearently can easily be enhanced with their Electronic Postmark capabilities.
    What I'm wondering about is the "Nationwide reach and trust" point they list in "Benefits of EPM".
    Does the strong encryption make it illegal to use this for international communications?

    --
    I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
    1. Re:Word only irrelevant by lwsimon · · Score: 3, Interesting

      Does the strong encryption make it illegal to use this for international communications

      Good point, i'll research it and check back by tonight... Would be quite ironic if USPS was a "weapons exporter" via the downloads on its site :)

      --
      Learn about Photography Basics.
  3. The sooner they get this working the better... by MrRTFM · · Score: 5, Interesting

    I am sick and tired of having to FAX my damn signature around the place

    1. print the form
    2. sign it
    3. scan it
    4. fax it

    I mean, come on - how outdated is this method?
    If the Banks let us use online banking to transfer all our money around, surely a digital signature system can be built.

    But then, I am not an encryption expert so what do I know.

    --
    You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
    1. Re:The sooner they get this working the better... by AndroidCat · · Score: 3, Interesting
      I've always wondered what loony descided that faxing a signature was in any way secure. Possibly it was mildly secure when there were only fax machines and no computers with fax modems, scanners and editing software. (Although a literal cut'n'paste would still foil it back then.)

      I've got a contract that I have "sign" with this idiotic method today. Joy, but they're paying me so... Has "fax signing" stood up to any real test in court?

      As for this new method .. can't be worse.

      --
      One line blog. I hear that they're called Twitters now.
    2. Re:The sooner they get this working the better... by Rosco+P.+Coltrane · · Score: 5, Interesting

      (Dont mind me - I've had a personal vendetta against fax verification since 1996)

      I'm with you right there.

      Anyway, it doesn't matter much, because since everybody requires people to sign this or that, signatures aren't worth crap anymore. For example, I signed someone else's $1200 credit card slip once (my boss', he had used his credit card to stick me in a hotel for 1 month on a business trip, but left before me, so I signed it myself when I checked out) : I didn't know his signature, so I just used mine. Totally and obviously not his name at all. Neither the hotel nor his bank never said anything at all. They only check if the account holder complains.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  4. That's a lot of keys by MadSweeper · · Score: 5, Interesting

    My only comment to this is that fact that for it to really work each person who uses it will need a (public) key. In order for that to work you need to validate the users' identity.
    Does this mean that I will goto my local post office and sign-up, get I&A (Identification and Authentication) done and then get my key?
    Are the keys real public keys ie: PKIX and PKCS standards?

    1. Re:That's a lot of keys by Dark+Paladin · · Score: 3, Interesting

      Most likely, yes. If they do it right, you should fill out a form online, get some sort of number or perhaps a barcode print out, take it to a USPS center where they will validate you with a picture ID (Drivers license), then give you access to your keys, perhaps through a username/password combination.

      Why this way? Remember: lying to the post office is a Federal Offense, and can get you jail time. That's why they like the whole "make you show up" concept: it (should) keep people from being naughty, especially if they take the extra step and request a fingerprint or some other biometric that will scare the pants off of most would-be identity thieves.

      --
      52 Weeks, 52 Religions with John Hummel
    2. Re:That's a lot of keys by MadSweeper · · Score: 3, Interesting

      As you say: If they do it right
      I have been dealing with PKI for 7 years now and still have not seen an implementation that would work on a large scale. It works in corporations where there aren't that many people.
      I suppose we should look at how different Revenue Departments do it. I know that there are countries that allow its citizens to submit their tax returns across the internet. However, many of these system don't use a real PKI.

      One of the questions that I have been strugling with is the usability of current PKI systems. Technology exists to do wonderful things (not just in PKI) but the general public is not able to, or does not want to, understand and/or use it.

      Oh yeah, regarding Banks. They don't use it and they just put the burden on the customer by saying you are using this system at your own risk...

    3. Re:That's a lot of keys by *weasel · · Score: 4, Insightful

      Biometrics don't actually scare the pants off identity thieves.

      Work for a bank some time, and note how casually and willingly people will be to put their fingerprint on a forged check. Not that you'll know when they try to pass it. Everything will be in order, everything will look right. They won't hesitate to hand you an ID and print.

      Then you'll hand them the cash, and a week later the branch will be kicking itself.

      maybe they realize that the fingerprint is useless (unless you have a criminal record, there's nothing they can compare it against, and they dont have the horsepower to perform a pre-transaction search through a national database).

      maybe they're dumb.

      who knows - but a biometric just doesn't bother them. It would however bother piles of citizen's groups, if the government were to start fingerprinting non criminals. well, that's how they'd spin it anyway. and maybe they'd have a point.

      what was slashdot's philosophic argument against DRM anyway? treating all your paying customers as potential criminals is bad business?

      --
      // "Can't clowns and pirates just -try- to get along?"
  5. Word Macros by Anonymous Coward · · Score: 3, Interesting

    Actually Word is not suitable for the purpose anyway. A word document may contain macros and scripting which change the way the content is rendered *after* it is signed.

    So be very careful when you trust a digital signature on a word document, next week it may say something quite different...

  6. Timing issues by kjdames · · Score: 3, Interesting

    I think depending on a regulated email system like this to prove legal timestamping is foolish. Any number of things can delay an email - would you send your taxes by email five minutes before they were due? If a late timestamp meant a fine?

    --

    Typos... that's just how I role.

    1. Re:Timing issues by Rosco+P.+Coltrane · · Score: 4, Funny

      would you send your taxes by email five minutes before they were due? If a late timestamp meant a fine?

      Simple: chose a USPS signature server located on the west coast ;-)

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  7. Is it really a postmark? by manganese4 · · Score: 3, Insightful

    Is calling the service a postmark truly correct in the traditional use of the postal serivce? This just looks like a Government sponsered notary service.

    Now if we can get a true email version of registered mail where every server in the chain signs the message, that would be something useful

    --
    I make my face look like this and concerned words come out.
  8. Registering your code.. by wfberg · · Score: 5, Interesting

    You know, using such a service to put a date on your sourcecode is a good idea in case you ever end up having to prove when you first coded it (or at least, had it in your possesion); for example, if you need to go after a company stealing your code (GPL non-compliance) or if a company comes after you (SCO?).

    --
    SCO employee? Check out the bounty
  9. What did you not get about "Java SDK" ? by brunes69 · · Score: 4, Insightful

    You think, that if this were in any way influenced by MS, there would be a Java SDK? MS hates Java.

    Just because the first sample implementation is in Word, doesn't imply there is some conspiracy. The USPS probably uses Word internally and wanted to make the sample usefull for them. With the JavaSDK you could use this in Linux, FreeBSD, hell even embedded applications.

    Take off your tinfoil hat.

  10. Too expensive by kindofblue · · Score: 4, Interesting
    For what the timstamping service actually does, it costs way, way, way too much. It cost 80 cents per email, 10 cents in bulk. This is super trivial; it should cost 1 or 2 cents, and yahoo mail or hotmail could do it for free. I don't see what Authentidate offers, other than a countersignature with a private key, timeserver, and a hash.

    And of course, there is a free PGP timestamping service, but unfortunately, that does not have the backing of the USPS.

    Anyone know of something similar that is cheap?

  11. Want to do this now as an end user ? by j_dot_bomb · · Score: 3, Informative

    Want to do this now as an end user ?
    go to http://www.getstamped.com/

  12. Copyrights and "proof of prior method" by atcurtis · · Score: 4, Interesting

    I know that a lot of people reading /. hates copyrights and patents... but of these digital postmarks stand up in court, they can be of great benefit to individuals and small entrprenurs in their efforts to compete with 'the big guys'

    People can publish their ideas, essays, music on the internet complete with a copy of the digital postmark, and should a big fish try to patent or claim copyright or patent on the material, the small-time individual can point at the digital postmask and prove their ownership.

    I personally would support this... I would love to be able to share some of the ideas I have - but I do not want someone else to come along and try to patent them or claim that it was their's first. Such a digital postmark would give me the confidence to share ... and possibly give others the confidence to share their creations.

    Just my 2cents worth.

    --
    -- The universe began. Life started on a billion worlds...
    -- Except on one where stupidity was there first.
  13. How bout a webservice by Anonymous Coward · · Score: 3, Insightful

    Instead of making clients use java...this should be a simple webservice. Submit a document, get back timestamped document. That way you could do it from pretty much any platform.

  14. "Wanishing ink" by GQuon · · Score: 4, Interesting

    Tampering by a macro or script would change the file, thereby making it incompatible with the hash, no?

    Not necessarlity. If you have a macro that re-writes the document, the hash would change, and the tampering would be caught.

    But: If you make a macro that doesn't change the contents of the file, but rather a macro that changes just the view, the hash would be the same.For example: You write a document that contains both correct and false information. Before a certain time, the correct information is shown. If you open the document after a specified date, the macro changes what is shown to the reader.

    For this wanishing ink to work
    - it must be possible to write such a macro.
    - the reader must trust all macros.
    - the reader must not be savvy enough to examine the raw word file.

    --
    Irene KHAAAAAAN!
  15. Digital signature implementation in UK by sufehmi · · Score: 3, Interesting

    In UK, the move to digital signature was pioneered by Inland Revenue (IRS for Americans). The Government's Gateway provides the digital certificate, which then can be used to digitally sign online forms.

    However there were concerns that the implementation is too proprietary, risking dependence to few vendors. Considering what the Gateway's doing, I think these concerns are valid.

    There were also little silliness along the way, such as the 50 poundsterling discount by Inland revenue (IRS for Americans) if you submit your tax online and sign it with your certificate BUT the certificate itself cost 50 poundsterling as well, etc.

    But I haven't followed it for quite a while now, hopefully things are better now.

  16. What PGP Corporation has to say about it by Betabug · · Score: 5, Informative

    There is an article by PGP Corporations CTO Jon Callas about it. His tagline is "Do we need another version of digital timestamps?"

    What he has to say looks like plain common sense to me:

    • requires Windows xP/Office 2003 - expensive
    • requires purchasing a certificate, which is not really necessary for a timestamping service
    • the price seems high

    His conclusion: "To me, this seems like a solution in search of a problem." He even mentions open standard file formats. Nice read.

  17. Signing as well as timestamping by isn't+my+name · · Score: 5, Interesting

    In the protocol descriptions, the customer who wants to sign a document first produces a hash and signs that. That is sent to the USPS who combines it with a timestamp and then signs the whole thing.

    So, you can verify the persons signature and verify the time that it was submitted for an electronic postmark. Based on the language in their whitepaper, they are really looking at setting up a system that is as legally strong in court as a physical signed document.

    I do wonder about the fact that they are only keeping the verification data online for seven years, though.

  18. SDK Download Request Location by isn't+my+name · · Score: 3, Informative

    Before submitting the article, I e-mailed to ask about this and the pricing. Did not get a response until after I had submitted to Slashdot, but here is the link for requesting an SDK.

    And here is the link for pricing. Note, I was told that the introductory pricing period has passed and I was also told that the entire website was due for an update in the next week or two. Had I known that when I submitted the Slashdot article, I would have waited a bit. Maybe a good slashdotting will get a redesign that can handle a heavy load. :)