Slashdot Mirror

← Back to Stories (view on slashdot.org)

USPS Providing Electronic Postmarks

Posted by CowboyNeal on from the trust-the-post-office dept.

isn't my name writes "Back in 2000, Clinton signed the ESIGN Legislation which set forth the requirements for making electronic signatures. But many questioned the weakness of its definitions that allowed an e-mail address to be used as an electronic signature. Well, it seems the USPS has come up with something stronger. They even have a Java and MS COM SDK's Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program. It seems that AuthentiDate is doing all the heavy lifting. According to the whitepaper on their site, it provides non-repudiation and legal timestamps of documentation by having the customer use a public-key to sign a hash of the document, which is then sent to AuthentiDate's servers which combine that with a timestamp and sign with their key. So, AuthentiDate does not have access to any of the data in the documentation. It sounds very similar to the free PGP Digital Timestamping Service, but it likely is more likely to be legally defensible in a US Court. They also have a new plug-in for MS Word documents. Interestingly, despite the mention of the SDK and it's ability to work with any documents, the only login setup I could find just allows you to use the MS Word version."

9 of 164 comments (clear)

  1. Something Similiar by Dark+Paladin · · Score: 5, Interesting

    I've been working on something similiar for another division of the US government.

    The biggest thing driving this are two issues:

    1. Government Paperwork Eliminiation Act - signed by Clinton, it basically tells the various agencies:
    1. "reduce paperwork by having forms available online".
    2. "When possible, have those forms electronically signed."

    The problem is that most government agencies, except maybe the IRS, and then in limited form, really don't have any kind of system set up for doing #2. They're getting pretty good at #1 (having documents available online), but #2 has been a challenge.

    The biggest challenge is initial setup. For the Department of Agriculture, you can do electronic signatures over the web. But first you must physically show up at one of their offices, validate your identify, and then you're good to go.

    That works all right for them, but suppose you're somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity which means having them show up at a local office (long lines and all). Then there's the issue of what system to use, validation procedures, how to keep Joe American from forgetting their password, and if they lose it, how do they get it back in a way that's secure and doesn't cost a lot of money?

    2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.

    Honest.

    So by having electronic signatures, they can reduce paperwork, install workflow systems so that when a document is digitally signed it can be forwarded right to the people who need to see it to be reviewed in minutes instead of days, without all the messy paper getting lost and so on.

    I'll probably be checking out the USPS's system to see what they do. If it's reasonable, secure, ensures privacy, and truly has an open API that would allow other agencies to develop systems based on it, it may be the electronic signature "standard" that some government agencies are looking for.

    Guess I'd better RTFA now ;).

    --
    52 Weeks, 52 Religions with John Hummel
    1. Re:Something Similiar by chefbb · · Score: 5, Insightful

      After perusing the white paper, it looks like the USPS solved this issue by having the user apply online for a digital certificate. Then they print out a form and authenticate themselves at a local post office, then they can download their DC. It's interesting that the post office is probably one of the few federal agencies capable of making this work, due to their presence in every community.

      The obvious breakdown with this is that someone could potentially gain access to a user's computer and steal their dc. What about Joe User who runs windows 98 and is unaware of his spyware? It's easily as secure as an old-fashioned signature, though. So maybe that's good enough.

      I have to say that it does look like the USPS thought things through rather well on this one. They made it as easy as possible while still focusing on security.

  2. Word only irrelevant by Esteanil · · Score: 5, Interesting

    That it's word only ATM (as far as I also can find out from the site) is irrelevant... Well, nearly so. With the Java SDK any application from any OS appearently can easily be enhanced with their Electronic Postmark capabilities.
    What I'm wondering about is the "Nationwide reach and trust" point they list in "Benefits of EPM".
    Does the strong encryption make it illegal to use this for international communications?

    --
    I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
  3. The sooner they get this working the better... by MrRTFM · · Score: 5, Interesting

    I am sick and tired of having to FAX my damn signature around the place

    1. print the form
    2. sign it
    3. scan it
    4. fax it

    I mean, come on - how outdated is this method?
    If the Banks let us use online banking to transfer all our money around, surely a digital signature system can be built.

    But then, I am not an encryption expert so what do I know.

    --
    You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
    1. Re:The sooner they get this working the better... by Rosco+P.+Coltrane · · Score: 5, Interesting

      (Dont mind me - I've had a personal vendetta against fax verification since 1996)

      I'm with you right there.

      Anyway, it doesn't matter much, because since everybody requires people to sign this or that, signatures aren't worth crap anymore. For example, I signed someone else's $1200 credit card slip once (my boss', he had used his credit card to stick me in a hotel for 1 month on a business trip, but left before me, so I signed it myself when I checked out) : I didn't know his signature, so I just used mine. Totally and obviously not his name at all. Neither the hotel nor his bank never said anything at all. They only check if the account holder complains.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  4. That's a lot of keys by MadSweeper · · Score: 5, Interesting

    My only comment to this is that fact that for it to really work each person who uses it will need a (public) key. In order for that to work you need to validate the users' identity.
    Does this mean that I will goto my local post office and sign-up, get I&A (Identification and Authentication) done and then get my key?
    Are the keys real public keys ie: PKIX and PKCS standards?

  5. Registering your code.. by wfberg · · Score: 5, Interesting

    You know, using such a service to put a date on your sourcecode is a good idea in case you ever end up having to prove when you first coded it (or at least, had it in your possesion); for example, if you need to go after a company stealing your code (GPL non-compliance) or if a company comes after you (SCO?).

    --
    SCO employee? Check out the bounty
  6. What PGP Corporation has to say about it by Betabug · · Score: 5, Informative

    There is an article by PGP Corporations CTO Jon Callas about it. His tagline is "Do we need another version of digital timestamps?"

    What he has to say looks like plain common sense to me:

    • requires Windows xP/Office 2003 - expensive
    • requires purchasing a certificate, which is not really necessary for a timestamping service
    • the price seems high

    His conclusion: "To me, this seems like a solution in search of a problem." He even mentions open standard file formats. Nice read.

  7. Signing as well as timestamping by isn't+my+name · · Score: 5, Interesting

    In the protocol descriptions, the customer who wants to sign a document first produces a hash and signs that. That is sent to the USPS who combines it with a timestamp and then signs the whole thing.

    So, you can verify the persons signature and verify the time that it was submitted for an electronic postmark. Based on the language in their whitepaper, they are really looking at setting up a system that is as legally strong in court as a physical signed document.

    I do wonder about the fact that they are only keeping the verification data online for seven years, though.