Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

USPS To Provide Personal Identity Certification

timothy posted about 11 years ago | from the in-their-efficient-cheerful-fashion dept.

Privacy 259

Zentalon writes "The United States Postal Service has announced that it will provide In-Person Proofing (pdf) to physically authenticate individuals before a digital signature certificate is issued to that person. This has a bunch of interesting ramifications; for instance, I could create a simple spam filter that only accepts mail from individuals and organizations that have an authenticated certificate. It could also allow for more secure financial transactions. Anyone know if any other national postal services are planning the same thing?" Funny, they don't seem to always know where to deliver so-called first-class mail ...

cancel ×

259 comments

Sorry! There are no comments related to the filter you selected.

No (-1, Offtopic)

shaklee (631847) | about 11 years ago | (#6353476)

Down with M$, use linux!!! oops I guess that won't work here...

I always did feel a little bit wrong... (-1, Offtopic)

Abalamahalamatandra (639919) | about 11 years ago | (#6353483)

I could use some proofing!

Re:I always did feel a little bit wrong... (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#6353792)

Anyone else notice timothy [monkey.org] has posted all of the front page articles? What happened to the other editors?

Oh hell yeah (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#6353485)

Linux sucks.

FP?

YOU FAIL IT! (0)

Anonymous Coward | about 11 years ago | (#6353555)

[ed. note: no it isn't]

What about the blind? (-1, Troll)

conner_bw (120497) | about 11 years ago | (#6353488)

That PDF discriminates against the blind, and so does the authentication system. The postal service is a government institution... time to sue!

Who's with me?

Re:What about the blind? (-1)

Anonymous Coward | about 11 years ago | (#6353557)

okay, this may be offtopic, but i thought it was pretty damn funny

Re:What about the blind? (0)

Anonymous Coward | about 11 years ago | (#6353619)

I know a guy who doesn't have X on his Debian machine, so he views all PDFs in console with some sort of PDF-to-Latin1 program. I bet blind people could use the same program.

authenticate by anus (-1, Flamebait)

Anonymous Coward | about 11 years ago | (#6353497)

every person has a unique anus - that should provide id - except all the slashpackers who are constantly expanding their anii with foreign objects.

Deutsche Post did that (4, Informative)

sebmol (217013) | about 11 years ago | (#6353502)

Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication. Last time I heard about it, it was being scrapped due to a lack of demand.

pdf -- txt (2, Informative)

CowBovNeal (672450) | about 11 years ago | (#6353598)

35922 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 / Notices
Dated: June 12, 2003.
D. L. Gamberoni,
Technical Coordinator, Office of the Secretary.

[FR Doc. 03Ð 15347 Filed 6Ð 13Ð 03; 11: 53 am]
BILLING CODE 7590 01 M

POSTAL SERVICE
In-Person Proofing at Post Offices (IPP) Program

AGENCY: U. S. Postal Service.
ACTION: Notice.

SUMMARY: The USPS is announcing the
availability of an In-Person Proofing at Post Offices (IPP) Program to support
the activities of U. S. Certificate Authorities and government
organizations.
EFFECTIVE DATE: June 9, 2003.
FOR FURTHER INFORMATION CONTACT:
Chuck Chamberlain at 703Ð 292Ð 4172, or Brad Reck at 703Ð 292Ð 3530

SUPPLEMENTARY INFORMATION: In recent years, a number of new federal statutes have sought to preserve the ability of the public and private sectors to use the efficiency of the internet to rapidly exchange time sensitive communications while assuring that
people receiving and sending messages are in fact who they say they are. A
number of top quality private sector businesses have mastered the
technology around the use of secure digital signatures, yielding a greater
demand for improved identity verification for individuals seeking to
use digital signatures. This need for improved '' online
identity'' creates a unique service opportunity for the Postal Service to
provide value to the public, leverage our retail network and enable internet
communications to enjoy a new level of security and reliability. Numerous
organizations have approached the U. S. Postal Service to conduct In-Person
Proofing (IPP) of customers nationwide for physically authenticating an
individual's identification at a post office before the organization issues a
digital signature certificate to the individual.
IPP supports efficient, affordable, trusted communications through the use
of identification verification at Post Offices, incorporation of process
enhancements required by the Postal Service, active management of the IPP
program by the USPS, and use of a First Class U. S. Mail piece to verify physical
addresses of applicants. We believe that IPP conducted at local post offices will
create a new broad based capability for the Nation that promotes improved public trust and greater efficiency in the
electronic delivery of a wide range of services. These efforts support achieving
the goals of the Government Paperwork Elimination Act of 1998, Electronic
Signature in Global and National Commerce Act of 2000, Health
Insurance Portability and Accountability Act of 1996, Sarbanes-Oxley
Act of 2002, and Gramm-Leach-Bliley Act of 1999 and numerous
Presidential Directives on eGovernment. The following is a brief description of
how IPP would work. An organization can establish a relationship with a
qualified U. S. Certificate Authority to integrate digital signing with improved
identity verification into an online application. Any individual desiring to
use digital certificates that include USPS IPP will complete an application
online. The online system will verify the individual's identity via commercial
data base checking. The system will then produce a standard Postal Service
form to be printed out at the '' applicant's'' personal computer. The
individual requesting the service will present this form to a participating post
office where the '' In Person Proofing'' process is conducted. After successful
completion of the IPP event, the CA will notify the applicant to download their
digital certificate. For clarity, the steps in the IPP process are outlined below.

1.0 DESCRIPTION
1.1 Purpose
IPP is a postal program to improve the public key infrastructure of the Nation.

The public key infrastructure has emerged as an accepted infrastructure
component for protecting and facilitating the electronic
communications of the Nation.
2.0 BASIC STANDARDS
2.1 Eligibility
For a Certificate Authority (CA) to use IPP, the CA must incorporate the U. S.

Postal Service In-Person Proofing Policy into their Certificate Policy.
Conformance to the Postal policy includes:
1. Use of a Patriot Act compliant database vetting process to gain initial
assurance of an applicant's identity before sending the applicant to the
Postal Office for IPP. 2. Perform a verification of the
applicant's physical residential address via First Class U. S. Mail with an
'' Address Correction Requested'' and '' Do Not Forward'' endorsement.
3. Restrict the expiration date of an IPP based Digital Certificate such that it
does not surpass the expiration of the 4

year validity period of an IPP verification event. A new IPP event will
be required every 4 years. 4. Facilitate IPP processing by using
standard forms and barcodes as directed by the USPS and exchanging of
information as necessary for the efficient operation of IPP. This includes:
A. Using the standard ID Verification Form (IDVF),
B. Maintaining a secure repository of IDVF forms,
C. Providing access to IDVF forms and customer account information as
necessary for investigative purposes by USPS Inspection Service and the USPS
Office of Inspector General, D. Submitting the processes and
operations of the CA to security audits and compliance reviews as required by
the USPS, and E. Restricting the generation of unique
barcodes for each IPP event to those expressly permitted by the USPS.
5. Operate the CA to enable the broadest practical use of IPP based
digital certificates. This includes: A. Issuing, at a minimum, a daily
Certificate Revocation List to better allow users to rely upon the certificates,
B. Passing an external CA audit in accordance with industry best practices
such as '' AICPA/ CICA WebTrust Program for Certificate Authorities'',
C. Achieving interoperability with the Federal Bridge for Certificate
Authorities, and D. Incorporating a new common
object identifier (USPS registered OID) for IPP based digital certificates.
6. Successfully enter into an agreement with the USPS that includes
standard pricing, service level commitments, IPP Policy compliance,
liability and service termination provisions, as well as such other terms
and conditions as may be included.
2.2 Minimum Volume
IPP transactions are to be purchased in pre-paid blocks of 10,000 transactions
by either the CA or a government customer on behalf of the CA.

2.3 Labeling
Each digital certificate must contain the statement '' ID Verified by the U. S.
Postal Service'' within the certificate profile to let any user or relying party
know that: The issuer of the digital certificate
authority operates in compliance with IPP Policy, and
The holder of the credential did physically appear before a postal
employee and had their hardcopy identification successfully verified.
Applications should interrogate the digital certificate presented during an

VerDate Jan 31 2003 17: 46 Jun 16, 2003 Jkt 200001 PO 00000 Frm 00085 Fmt 4703 Sfmt 4703 E:\ FR\ FM\ 17JNN1. SGM 17JNN1 1
1 Page 2
35923 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 / Notices
1 15 U. S. C. 78s( b)( 1).
2 17 CFR 240.19b-4.
3 15 U. S. C. 78s( b)( 3)( A).
4 17 CFR 240.19b-4( f)( 6).
5 The CHX provided the Commission with written notice of its intent to file the proposed rule change on March 2, 2002. The proposed rule change will become operative on June 1, 2003.
6 The CHX inadvertently neglected to underscore
a word in the proposed rule text when it filed this proposed rule change. With the CHX's permission, the Commission corrected the omission, so that the proposed rule text as printed in this notice
accurately reflects the CHX's intentions. May 22, 2003 telephone conversation between Kathleen M.
Boege, Associate General Counsel, CHX, and Joseph P. Morra, Special Counsel, Division of Market
Regulation, Commission.
electronic process to confirm the presence of a new common object
identifier (USPS registered OID) for IPP based digital certificates.

3.0 AVAILABILITY
IPP is available at an initial level of up to 200 post offices promptly

following the execution of the first activation agreement. Market demand
for IPP, in conjunction with operational assessments, will determine the
expansion schedule beyond initial deployment locations.

Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 03Ð 15211 Filed 6Ð 16Ð 03; 8: 45 am]
BILLING CODE 7710- 12- P

SECURITIES AND EXCHANGE COMMISSION
[Release No. 34- 48014; File No. SR- CHX- 2003- 05]

Self-Regulatory Organizations; Notice of Filing and Immediate Effectiveness
of Proposed Rule Change by the Chicago Stock Exchange, Incorporated
Relating to the Execution of Limit Orders for OTC Securities

June 11, 2003. Pursuant to section 19( b)( 1) of the
Securities Exchange Act of 1934 ('' Act''), 1 and Rule 19b-4 thereunder, 2
notice is hereby given that on April 28, 2003, the Chicago Stock Exchange,
Incorporated ('' CHX'' or '' Exchange'') filed with the Securities and Exchange
Commission ('' Commission'') the proposed rule change as described in
Items I, II and III below, which Items have been prepared by the Exchange.
The Exchange filed the proposal pursuant to section 19( b)( 3)( A) of the
Act, 3 and Rule 19b-4( f)( 6) 4 thereunder, which renders the proposal effective
upon filing with the Commission. 5 The Commission is publishing this notice to
solicit comments on the proposed rule change from interested persons.

I. Self-Regulatory Organization's Statement of the Terms of Substance of
the Proposed Rule Change
The Exchange proposes to amend certain provisions of CHX Article XX,

Rule 37( a)( 3), which governs, among other things, the execution of limit

orders in a CHX specialist's book. Specifically, the CHX seeks to add a
provision that would permit a CHX specialist to enable a functionality that
would automatically execute designated limit orders for Nasdaq/ NM ('' OTC'')
securities, following dissemination of a locking or crossing quotation in that
security by one or more designated OTC market centers. The text of the proposed
rule change is below. Proposed new language is in italics. Proposed
deletions are in brackets. 6
Chicago Stock Exchange Rules
Article XXÑ Regular Trading Sessions
* * * * *
Precedence of Bids at Same Price
Rule 16. Subject to Article XX, Rule 37( b), [W] where bids are made at the

same price, the priority and precedence shall be determined as follows:
(a) When a bid is clearly established as the first made at a particular price,
the maker shall be entitled to priority and shall have precedence over [on] the
next sale at that price, up to the number of shares of stock specified in the bid,
irrespective of the number of shares of stock specified in such bid.

* * * * *
Guaranteed Execution System and Midwest Automated Execution System

Rule 37. (a) Guaranteed Executions. The Exchange's Guaranteed Execution
System (the BEST System) shall be available, during the Primary Trading
Session and the Post Primary Trading Session, to Exchange member firms and,
where applicable, to members of a participating exchange who send orders
to the Floor through a linkage pursuant to Rule 39 of this Article, in all issues
in the specialist system which are traded in the Dual Trading System and
NASDAQ/ NM Securities. System orders shall be executed pursuant to the
following requirements: 1. No change to text.
2. No change to text. 3. [Dual Trading System] Execution of
Agency Limit Orders. Subject to Interpretation and Policy .10 ('' Exempted Trade-Throughs''), all agency limit orders in Dual Trading
System issues will be filled under the following circumstances:

(a) Exhaustion of primary market bid or offer. When the bid or offering at the
limit price has been exhausted in the primary market (as defined in the CTA
plan), agency limit orders will be executed in whole or in part, based on
the rules of priority and precedence, on a share for share basis with trades
executed at the limit price in the primary market;

(b) Price penetration in primary market. When there has been a price
penetration of the limit in the primary market, agency limit orders that have
resided in the specialist's book for a period of 0Ð 15 seconds (as designated
by the specialist) prior to the primary market print will be filled at the limit
price; [and]
(c) Primary market trading at the limit price. When the issue is trading at the

limit price on the primary market, agency limit orders will be filled at the
limit price unless it can be demonstrated that such orders would
not have been executed if they had been transmitted to the primary market or the
broker and specialist agree to a specific volume related or other criteria for
requiring a fill; and
(d) Block size trade-through in another market. In instances where a

block trade on the Exchange or other market against which orders are being
protected takes place outside the current Exchange quotation, all effective bids or
offers limited to the block price or better will be executed at the more favorable
block price rather than at the limit price of the affected orders. A specialist may
elect to provide automatic execution of designated limit orders at the block
price or better when a '' block size'' (as defined in Article XX, Rule 40,
Interpretation and Policy .05) trade-through is executed on the primary
market.
A specialist may elect automatic execution of such agency limit orders on

an issue-by-issue basis.
In the case of Nasdaq/ NM securities, a CHX specialist may elect, on an issue-by-

issue basis, to engage a functionality that will automatically execute
designated resting agency limit orders (or portions of such orders) at the limit
price, up to the size of the Limit Order Auto Execution Threshold, when the
Designated Market quotation locks or crosses the limit price. For purposes of
this provision, (i) '' Limit Order Auto Execution Threshold'' means an
aggregate number of shares designated by the CHX specialist, on an issue-by-issue
basis, that may be executed automatically at the limit price; and (ii)
'' Designated Market'' means the market

VerDate Jan 2003 17: 46 Jun 16, 2003 Jkt 200001 PO 00000 Frm 00086 Fmt 4703 Sfmt 4703 E:\ FR\ FM\ 17JNN1. SGM 17JNN1 2

Canada too... (3, Informative)

conner_bw (120497) | about 11 years ago | (#6353626)

Canada too...

http://www.epost.ca/ [epost.ca]

Canadapost, canada's gov snail mail institution, is doing something similar with email where you can pay bills and other such commercial exchanges using their "Electronic Postmark (tm)" technology.

Look into the Euro PKI project (1)

hansreiser (6963) | about 11 years ago | (#6353720)

They got funded to develop a PKI infrastructure with real verification of identity for the EU.

Re:Deutsche Post did that (2, Interesting)

BlueWonder (130989) | about 11 years ago | (#6353722)

Shortly after digital signatures became legally equivalent to regular signatures in Germany, Deutsche Post (the German postal service) offered digital authentication.

Maybe I misunderstand the Federal Register text, but I think the USPS doesn't intend to act as a CA itself, but to verify the identity of people for other CAs. The closest Deutsche Post equivalent to that would be PostIdent. [deutschepost.de]

Open source version (0, Funny)

Anonymous Coward | about 11 years ago | (#6353746)

GNU/Zentalon GNU/writes GNU/"The GNU/United GNU/States GNU/Postal GNU/Service GNU/has GNU/announced GNU/that GNU/it GNU/will GNU/provide GNU/In-Person GNU/Proofing GNU/(pdf) GNU/to GNU/physically GNU/authenticate GNU/individuals GNU/before GNU/a GNU/digital GNU/signature GNU/certificate GNU/is GNU/issued GNU/to GNU/that GNU/person. GNU/This GNU/has GNU/a GNU/bunch GNU/of GNU/interesting GNU/ramifications; GNU/for GNU/instance, GNU/I GNU/could GNU/create GNU/a GNU/simple GNU/spam GNU/filter GNU/that GNU/only GNU/accepts GNU/mail GNU/from GNU/individuals GNU/and GNU/organizations GNU/that GNU/have GNU/an GNU/authenticated GNU/certificate. GNU/It GNU/could GNU/also GNU/allow GNU/for GNU/more GNU/secure GNU/financial GNU/transactions. GNU/Anyone GNU/know GNU/if GNU/any GNU/other GNU/national GNU/postal GNU/services GNU/are GNU/planning GNU/the GNU/same GNU/thing?" GNU/Funny, GNU/they GNU/don't GNU/seem GNU/to GNU/always GNU/know GNU/where GNU/to GNU/deliver GNU/so-called GNU/first-class GNU/mail...

Re:Deutsche Post did that (0)

Anonymous Coward | about 11 years ago | (#6353940)

It's called "PostIdent". Direct banks use it to authenticate customers, for example. Here [deutschepost.de] is more information about this service (in English).

The Post Office? Seriously? (5, Funny)

Just Some Guy (3352) | about 11 years ago | (#6353504)

Of course, your certificate will be snailed to you on the back of a postcard. 10% of them will be lost. Complaints will be handled by people too slow to work at the Department of Motor Vehicles. And although they'll only cost $0.37 to start, their price growth will outstrip inflation. When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

Other than that, I'm sure it'll be great. When will my local branch (literally in a small town in Nebraska) have their PKI training day?

Re:The Post Office? Seriously? (2, Interesting)

Anonymous Coward | about 11 years ago | (#6353536)

When a competing company starts doing the same things with better service and prices, they'll whine that they're losing business and raise prices again.

They'd already sort of be competing with Verisign and other certificate authorities that use various ways to verify your identity. I don't know what is worse, dealing with Verisign or dealing with the USPS.

Re:The Post Office? Seriously? (5, Interesting)

Just Some Guy (3352) | about 11 years ago | (#6353595)

Definitely Verisign. The USPS doesn't think it's funny when they accidentally release your property to someone else (see also: sex.com). In fact, rumor has it that having the Postal Inspectors storm your house is not as funny as it sounds (i.e., 30 guys in attack armor carrying assault rifles vs. 5 guys like Cliff from "Cheers").

Re:The Post Office? Seriously? (2, Interesting)

Daetrin (576516) | about 11 years ago | (#6353921)

My grandfather used to deliver mail back in the 60s or something, and my parents told me that at the time, you did NOT fuck with the Post Office. Don't know if that's more or less true nowdays, although the PR about it doesn't seem as good anymore.

Re:The Post Office? Seriously? (1)

Just Some Guy (3352) | about 11 years ago | (#6353952)

That's still the impression I got. Playing a minor practical joke on your deliveryman may get you a nasty letter. Mail some drugs or chemicals that you're not supposed to have and the Men In Black kick in your door.

For real joy, though, see what happens when you get caught by the Railroad Police. Sounds funny, but apparently it's decidedly not humorous at all.

Postal employees better than you think (5, Interesting)

SuperBanana (662181) | about 11 years ago | (#6353780)

Complaints will be handled by people too slow to work at the Department of Motor Vehicles.

I repeat the following story every time I hear someone insult a postal worker.

One day I needed to get something in the mail THAT day, and I wasn't able to get down to the post office. I caught the mailman as he was driving up to the mailbox, and handed him the letter. Except I didn't have enough postage- I had forgotten about the rate increase that had happened recently.

Now, if the guy had wanted to be an asshole, he could have refused it- but he said "you got any change? I'll put the extra postage on it when I get in" I had a quarter on me, gave it to him, and was happy that I had probably still spent less money than the gas it would have taken to get to the post office and back.

What bowled me over was that the next day, he parked, came to the door, and handed me change. I was blown away that he bothered for such a small amount, and had expected him to (rightfully, far as I was concerned) pocket the 15-20 cents for the trouble of having to 'buy' and slap on an extra stamp for me.

NOW, if you want to see how patient postal employees are, see what these guys did [improb.com] . It is incredibly funny(the part about the sender trying to argue they should get money BACK for shipping a balloon is hilarious), but there's a serious message in their absurd little experiment(which involved shipping bricks, hammers, dead fish+seaweed, etc), and I'll include their conclusion here:

First, this experiment yielded a 64% delivery rate (18/28), an almost two-thirds success rate. (For our purposes, "delivery" constituted some type of independent handling by the USPS and subsequent contact regarding the object, regardless of whether we got to see or keep the object or whether it arrived whole.) This is astounding, considering the nature of some of the items sent. This compares with a 0% rate of receipt of fully wrapped packages from certain countries of the developing world, such as Peru, Turkey, and Egypt. Admittedly, those were international mailings, and thus not totally comparable; nevertheless, the disparity is striking.

Second, the delivery involved the collusion of sequences of postal workers, not simply lone operatives. The USPS appears to have some collective sense of humor, and might in fact here be displaying the rudiments of organic bureaucratic intelligence.

Finally, our investigation team felt remorse for some of its experimental efforts, most particularly the category "Disgusting," after the good faith of the USPS in its delivery efforts. We sought out as many of the USPS employees who had (involuntarily) been involved in the experiment as we could identify, and gave them each a small box of chocolate.

We, and all scientists, owe a debt of gratitude to these civil servants. Without them, we would have had but little success in pushing the envelope.

Re:Postal employees better than you think (2, Insightful)

Just Some Guy (3352) | about 11 years ago | (#6353868)

I repeat the following story every time I hear someone insult a postal worker.

That's a good story. I like the mailman that comes to my house; he's a nice guy, and I imagine he'd probably do the same thing for me. In fact, the whole post office in my small town is staffed by genuinely nice, friendly people and I feel kind of guilty about lumping them in with my other generalities.

However, I've also been into post offices where I really wished I was armed to protect myself from both the patrons and the staffers. Unfortunately, those are the experiences that tend to resonate with the population.

Sounds like... (4, Interesting)

Klev (684090) | about 11 years ago | (#6353505)

Sounds like an opourtunity to charge us. This seems a lot like the door opening for the postal service's charging to send emails. Why else would they be offering to develop this amazing technology? To make our lives better?

Re:Sounds like... (4, Insightful)

t0ny (590331) | about 11 years ago | (#6353706)

The post office proposed offering email as a provided service long ago. But your complain has little merit, because many spam-stopping plans already propose adding a "cost" to email, even if it is a nominal fee such as $.01/message. A corportation would shrug at having to pay $8/day for email, but would a bulk mailer sending millions of messages per hour?

The problem with people complaining about paying is that, for things that are worthwhile, its not about the money. Eventually you will have to pay for something, you are better off spending money on what you want, as opposed to getting what you dont want for free.

Re:Sounds like... (1)

Klev (684090) | about 11 years ago | (#6353783)

Nono, you misunderstand me. I understand your point, I am merely saying that if each of us has a digital id tagging the email mesages and whatnot, they can install little USPS scanners on the main routers of the internet and send information on whos been emailing to their headquarters. Then they would send us a monthly tax or however they would impliment it, but it could be done.

Re:Sounds like... (1)

t0ny (590331) | about 11 years ago | (#6353801)

Honestly, if it can prevent me from having to get 150 junk mail messages per day to my email account, Im for it. What do I care if some goober in the post office can look up that I sent an email to my mother?

Re:Sounds like... (1)

Klev (684090) | about 11 years ago | (#6353927)

How would they control messages from other countries? They would just be collecting money from us and eliminating 'legitimate spam' (if there is such a thing) in the states. Perhaps Canada and a few other countries if they signed on with their postal services...but what about countries that dont? A tax is a tax.

Re:Sounds like... (0)

Anonymous Coward | about 11 years ago | (#6353836)

No, they're going to be charging you to verify emails (or whatever).

The business model is basically using the current retail channel that makes it "easy" for consumers to get a Certificate, and then charging vendors to actually validate those Certificates.

They're trying to become a new kind of MS Passport service.

If it takes off with any popularity, and somebody like eBay offers "free" validation during registration, then sellers will start requiring it from domestic buyers.

Is this the start of it? (5, Insightful)

Blaine Hilton (626259) | about 11 years ago | (#6353514)

Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery? Not that I'm "totally" against such a system, but it seems like they are misrepresenting the true nature of this.

Re:Is this the start of it? (5, Insightful)

Anonymous Coward | about 11 years ago | (#6353593)

Is this how they are going to roll out a national database system? Saying it will help in the fight against spam and forgery?

Look, anything that can possibly improve the situation that someone picking up my social security number and date of birth and a few other simple facts about me can end up stealing my identity is a good thing. We're increasingly reliant on computers and digital information yet we have no decent national digital signature infrastructure in place. It is a very sad state of affairs when my mother's maiden name can still be expected to be used as some kind of secure authenticator to protect my bank account information.

Re:Is this the start of it? (1)

BrookHarty (9119) | about 11 years ago | (#6353762)

And the database is Patriot Act complaint too!

1. Use of a Patriot Act compliant
database vetting process to gain initial
assurance of an applicant's identity
before sending the applicant to the
Postal Office for IPP.

But tell me... (3, Funny)

mhore (582354) | about 11 years ago | (#6353522)

what good is a digital signature verified by the Post Office if you are unable to.......... speak?

Mike.

Amazing what the USPS does do with mail. (5, Insightful)

DaRat (678130) | about 11 years ago | (#6353528)

Just a comment about the "Funny, they don't seem to always know where to deliver so-called first-class mail ..." remark.

Have I had mail lost? Yes. Is it annoying? Yes.

But, think about how amazing it is about what the USPS does right. It moves billions of pieces of mail every day, and almost all of it (percentage wise) gets to where it should be going in spite of the fact that not every piece of mail can be automatically routed and multiple people end up looking at it at one point or another. And, in spite of the price increases, I can still send a letter anywhere in the US for 37c and it'll usually get there within a 2-3 days.

Sure, dealling with the post office is a pain occasionally, and they do lose some mail. But, when I think about the scope and scale of what they do right, it does boggle my mind.

Re:Amazing what the USPS does do with mail. (0)

Anonymous Coward | about 11 years ago | (#6353581)

How do you know if you have had lost mail. It never got to you.

Re:Amazing what the USPS does do with mail. (5, Insightful)

jdcook (96434) | about 11 years ago | (#6353635)

Mod parent up. I love how /. editors make fun of the post office for an almost imperceptible error rate in billions of pieces of mail but cannot even post a hundred stories in a row (I'm guessing) without a dupe or other obvious error.

Re:Amazing what the USPS does do with mail. (0)

Anonymous Coward | about 11 years ago | (#6353853)

Reminds me of of one time I tried to change my address using one of those forms in the post office. I tried to hand it to them at the counter and they just told me to drop it in the mail. I did and several days later I received half of it back (the part with my old address on it) with a note attached to it apoligizing for mangling it and being unable to deliver it.

It started at the post office, its final destination was the post office but somehow it still got mangled in transit.

They did however have to have a person physically handle it to find the address to return it to, it was way too mangled to be read by a machine. I guess thats a plus

Article text (1, Informative)

Anonymous Coward | about 11 years ago | (#6353529)

35922 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 /
Notices
Dated: June 12, 2003.
D.L. Gamberoni,
Technical Coordinator, Office of the Secretary.
[FR Doc. 03-15347 Filed 6-13-03; 11:53 am]
BILLING CODE 7590-01-M
POSTAL SERVICE
In-Person Proofing at Post Offices
(IPP) Program
AGENCY: U.S. Postal Service. ACTION: Notice.
SUMMARY: The USPS is announcing the availability of an In-Person Proofing at Post Offices (IPP) Program to support the activities of U.S. Certificate Authorities and government organizations.
EFFECTIVE DATE: June 9, 2003.
FOR FURTHER INFORMATION CONTACT: Chuck Chamberlain at 703-292-4172, or Brad Reck at 703-292-3530
SUPPLEMENTARY INFORMATION: In recent years, a number of new federal statutes have sought to preserve the ability of the public and private sectors to use the efficiency of the internet to rapidly exchange time sensitive communications while assuring that people receiving and sending messages are in fact who they say they are. A number of top quality private sector businesses have mastered the technology around the use of secure digital signatures, yielding a greater demand for improved identity verification for individuals seeking to use digital signatures.
This need for improved ''online identity'' creates a unique service opportunity for the Postal Service to provide value to the public, leverage our retail network and enable internet communications to enjoy a new level of security and reliability. Numerous organizations have approached the U.S. Postal Service to conduct In-Person Proofing (IPP) of customers nationwide for physically authenticating an individual's identification at a post office before the organization issues a digital signature certificate to the individual.
IPP supports efficient, affordable, trusted communications through the use of identification verification at Post Offices, incorporation of process enhancements required by the Postal Service, active management of the IPP program by the USPS, and use of a First Class U.S. Mail piece to verify physical addresses of applicants. We believe that IPP conducted at local post offices will create a new broad based capability for the Nation that promotes improved public trust and greater efficiency in the electronic delivery of a wide range of services. These efforts support achieving the goals of the Government Paperwork Elimination Act of 1998, Electronic Signature in Global and National Commerce Act of 2000, Health Insurance Portability and Accountability Act of 1996, Sarbanes- Oxley Act of 2002, and Gramm-Leach- Bliley Act of 1999 and numerous Presidential Directives on eGovernment. The following is a brief description of how IPP would work. An organization can establish a relationship with a qualified U.S. Certificate Authority to integrate digital signing with improved identity verification into an online application. Any individual desiring to use digital certificates that include USPS IPP will complete an application online. The online system will verify the individual's identity via commercial data base checking. The system will then produce a standard Postal Service form to be printed out at the ''applicant's'' personal computer. The individual requesting the service will present this form to a participating post office where the ''In Person Proofing'' process is conducted. After successful completion of the IPP event, the CA will notify the applicant to download their digital certificate. For clarity, the steps in the IPP process are outlined below.
1.0 DESCRIPTION
1.1 Purpose
IPP is a postal program to improve the public key infrastructure of the Nation. The public key infrastructure has emerged as an accepted infrastructure component for protecting and facilitating the electronic communications of the Nation.
2.0 BASIC STANDARDS
2.1 Eligibility
For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Postal policy includes:
1. Use of a Patriot Act compliant database vetting process to gain initial assurance of an applicant's identity before sending the applicant to the Postal Office for IPP.
2. Perform a verification of the applicant's physical residential address via First Class U.S. Mail with an ''Address Correction Requested'' and ''Do Not Forward'' endorsement.
3. Restrict the expiration date of an IPP based Digital Certificate such that it does not surpass the expiration of the 4 year validity period of an IPP verification event. A new IPP event will be required every 4 years.
4. Facilitate IPP processing by using standard forms and barcodes as directed by the USPS and exchanging of information as necessary for the efficient operation of IPP. This includes:
A. Using the standard ID Verification Form (IDVF),
B. Maintaining a secure repository of IDVF forms,
C. Providing access to IDVF forms and customer account information as necessary for investigative purposes by USPS Inspection Service and the USPS Office of Inspector General,
D. Submitting the processes and operations of the CA to security audits and compliance reviews as required by the USPS, and
E. Restricting the generation of unique barcodes for each IPP event to those expressly permitted by the USPS. 5. Operate the CA to enable the broadest practical use of IPP based digital certificates. This includes:
A. Issuing, at a minimum, a daily Certificate Revocation List to better allow users to rely upon the certificates,
B. Passing an external CA audit in accordance with industry best practices such as ''AICPA/CICA WebTrust Program for Certificate Authorities'',
C. Achieving interoperability with the Federal Bridge for Certificate Authorities, and
D. Incorporating a new common object identifier (USPS registered OID) for IPP based digital certificates.
6. Successfully enter into an agreement with the USPS that includes standard pricing, service level commitments, IPP Policy compliance, liability and service termination provisions, as well as such other terms and conditions as may be included.
2.2 Minimum Volume IPP transactions are to be purchased in pre-paid blocks of 10,000 transactions by either the CA or a government customer on behalf of the CA.
2.3 Labeling Each digital certificate must contain the statement ''ID Verified by the U.S. Postal Service'' within the certificate profile to let any user or relying party know that:
The issuer of the digital certificate authority operates in compliance with IPP Policy, and
The holder of the credential did physically appear before a postal employee and had their hardcopy identification successfully verified. Applications should interrogate the digital certificate presented during an
VerDate Jan2003 17:46 Jun 16, 2003 Jkt 200001 PO 00000 Frm 00085 Fmt 4703 Sfmt 4703 E:\FR\FM\17JNN1.SGM 17JNN1
35923 Federal Register / Vol. 68, No. 116 / Tuesday, June 17, 2003 / Notices
1 15 U.S.C. 78s(b)(1).
2 17 CFR 240.19b-4.
3 15 U.S.C. 78s(b)(3)(A).
4 17 CFR 240.19b-4(f)(6).
5 The CHX provided the Commission with written notice of its intent to file the proposed rule change on March 2, 2002. The proposed rule change will become operative on June 1, 2003.
6 The CHX inadvertently neglected to underscore a word in the proposed rule text when it filed this proposed rule change. With the CHX's permission, the Commission corrected the omission, so that the proposed rule text as printed in this notice accurately reflects the CHX's intentions. May 22, 2003 telephone conversation between Kathleen M. Boege, Associate General Counsel, CHX, and Joseph P. Morra, Special Counsel, Division of Market Regulation, Commission.
electronic process to confirm the presence of a new common object identifier (USPS registered OID) for IPP based digital certificates.
3.0 AVAILABILITY
IPP is available at an initial level of up to 200 post offices promptly following the execution of the first activation agreement. Market demand for IPP, in conjunction with operational assessments, will determine the expansion schedule beyond initial deployment locations. Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 03-15211 Filed 6-16-03; 8:45 am]
BILLING CODE 7710-12-P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34-48014; File No. SR-CHX- 2003-05]
Self-Regulatory Organizations; Notice of Filing and Immediate Effectiveness of Proposed Rule Change by the Chicago Stock Exchange, Incorporated Relating to the Execution of Limit Orders for OTC Securities June 11, 2003.
Pursuant to section 19(b)(1) of the Securities Exchange Act of 1934 (''Act''),1 and Rule 19b-4 thereunder,2 notice is hereby given that on April 28, 2003, the Chicago Stock Exchange, Incorporated (''CHX'' or ''Exchange'') filed with the Securities and Exchange Commission (''Commission'') the proposed rule change as described in Items I, II and III below, which Items have been prepared by the Exchange. The Exchange filed the proposal pursuant to section 19(b)(3)(A) of the Act,3 and Rule 19b-4(f)(6)4 thereunder, which renders the proposal effective upon filing with the Commission.5 The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons. I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change The Exchange proposes to amend certain provisions of CHX Article XX, Rule 37(a)(3), which governs, among other things, the execution of limit orders in a CHX specialist's book. Specifically, the CHX seeks to add a provision that would permit a CHX specialist to enable a functionality that would automatically execute designated limit orders for Nasdaq/NM (''OTC'') securities, following dissemination of a locking or crossing quotation in that security by one or more designated OTC market centers. The text of the proposed rule change is below. Proposed new language is in italics. Proposed deletions are in brackets.6 Chicago Stock Exchange Rules Article XX--Regular Trading Sessions
* * * * *
Precedence of Bids at Same Price Rule 16. Subject to Article XX, Rule 37(b), [W]where bids are made at the same price, the priority and precedence shall be determined as follows: (a) When a bid is clearly established as the first made at a particular price, the maker shall be entitled to priority and shall have precedence over [on] the next sale at that price, up to the number of shares of stock specified in the bid, irrespective of the number of shares of stock specified in such bid.
* * * * *
Guaranteed Execution System and Midwest Automated Execution System Rule 37. (a) Guaranteed Executions. The Exchange's Guaranteed Execution System (the BEST System) shall be available, during the Primary Trading Session and the Post Primary Trading Session, to Exchange member firms and, where applicable, to members of a participating exchange who send orders to the Floor through a linkage pursuant to Rule 39 of this Article, in all issues in the specialist system which are traded in the Dual Trading System and NASDAQ/NM Securities. System orders shall be executed pursuant to the following requirements:
1. No change to text.
2. No change to text.
3. [Dual Trading System] Execution of Agency Limit Orders.
Subject to Interpretation and Policy .10 (''Exempted Trade-Throughs''), all agency limit orders in Dual Trading System issues will be filled under the following circumstances:
(a) Exhaustion of primary market bid or offer. When the bid or offering at the limit price has been exhausted in the primary market (as defined in the CTA plan), agency limit orders will be executed in whole or in part, based on the rules of priority and precedence, on a share for share basis with trades executed at the limit price in the primary market;
(b) Price penetration in primary market. When there has been a price penetration of the limit in the primary market, agency limit orders that have resided in the specialist's book for a period of 0-15 seconds (as designated by the specialist) prior to the primary market print will be filled at the limit price; [and]
(c) Primary market trading at the limit price. When the issue is trading at the limit price on the primary market, agency limit orders will be filled at the limit price unless it can be demonstrated that such orders would not have been executed if they had been transmitted to the primary market or the broker and specialist agree to a specific volume related or other criteria for requiring a fill; and
(d) Block size trade-through in another market. In instances where a block trade on the Exchange or other market against which orders are being protected takes place outside the current Exchange quotation, all effective bids or offers limited to the block price or better will be executed at the more favorable block price rather than at the limit price of the affected orders. A specialist may elect to provide automatic execution of designated limit orders at the block price or better when a ''block size'' (as defined in Article XX, Rule 40, Interpretation and Policy .05) tradethrough is executed on the primary market. A specialist may elect automatic execution of such agency limit orders on an issue-by-issue basis. In the case of Nasdaq/NM securities, a CHX specialist may elect, on an issueby- issue basis, to engage a functionality that will automatically execute designated resting agency limit orders (or portions of such orders) at the limit price, up to the size of the Limit Order Auto Execution Threshold, when the Designated Market quotation locks or crosses the limit price. For purposes of this provision, (i) ''Limit Order Auto Execution Threshold'' means an aggregate number of shares designated by the CHX specialist, on an issue-byissue basis, that may be executed automatically at the limit price; and (ii) ''Designated Market'' means the market

Re:Article text (0)

Anonymous Coward | about 11 years ago | (#6353825)

(a) When a bid is clearly established as the first made at a particular price, the maker shall be entitled to priority and shall have precedence over [on] CmdrTaco's cock inserted in Timothy's rectum.

Hmm, I didn't know that the post office wrote gay sex stories about /. editors into their announcements.

USPS & Personal Identity (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#6353530)

Dear fellow patriots: It is with great urgency and sincerity that I bring to your attention the Mandrake Boycott. [boycott-mandrake.com]

You may not be aware that Mandrake Linux is a French product. Indeed, you would never know because of their shallow attempts to conceal this fact. But a simple trip to the whois database [whois.com] can reveal the truth. Now, you and I would never spend our American dollars on French wine, and we would certainly never travel there. So, why should we support a French company? We shouldn't.

While talking out of one side of their mouth about peace and security, the French have been actively engaged with terrorist groups and terrorist nations to sabotage our efforts to secure our future. You can read about this here [arabicnews.com] and here [france-iran.net] . The French have stabbed us in the back repeatedly and, driven by their jealousy of our great Nation, they have exposed themselves as the traitorus liars that we have always suspected. It is also widely known that Jacques Chirac was an active supporter and business partner of Saddam Hussein. This is well documented; you can learn more here [vietpage.com] and here [indusbusinessjournal.com] .

The French are having a very difficult time because they are long past their colonial greatness and have descended to a chaotic socialist society of laziness and ineptitude. Rather than realistically assess their own blame and work to restore their own status, they seek to bring us down. They lash out at the great nations who now lead the world community. The French are a shallow people who resent with great bitterness those who saved them. In WW1 and WW2 we rescued the French after they surrended and allowed them to preserve their way of life. But who can forget that the French jeered and spit on our liberating forces, before the final shot had even been fired? For more information check here [wwiionline.com] or here [worldnetdaily.com] .

We must now teach the French a lesson, and it is for their own good. They should not bite the hand that saves them, for soon we may decide they are not worth saving anymore. Therefore I urge you to boycott Mandrake Linux. Of course it would not be American for me to tell you what to do. If you must use Mandrake, then use it. Simply do not pay for it.

Now that I have your attention, I would like to discuss the larger issue of Linux in general. It is time for us, fellow patriots, to look at our situation in the world on a global scale. Microsoft is an American company. Bill Gates started with nothing and built an empire. What is the problem here? We should be supporting American enterprise, not undermining it. The simple fact is that no true partiot would use Linux at all. In these hard times we must rally around our companies, our economy, and our president. If we let the 'Linux Community' have their way, we will all be at the mercy of the Germans making KDE, or the Japanese with their desktop. Do you plan to learn Japanese in the near future? You may have to, if we don't start poneying up to the bar and laying it down for our cause.

Thank you for your attention. I trust I have reached you with this message, and we all look forward to a world united under the flag of Freedom, Democracy, and the American Way.

good idea? Maybe.... (2, Insightful)

deque_alpha (257777) | about 11 years ago | (#6353542)

I dunno, while this seems like a great idea on the surface, I am a little leery about going and getting "proofed" for this digital signature. Having not read the article, it seems like just one more database entry on me to be cross-referenced so that I can be "accurately" profiled by the government or whatever other really large entity decides they want to. I'll stick to my GPG signature, thanks. But then again, maybe my foil hat needs to be adjusted....

Who am I? (2, Interesting)

fm6 (162816) | about 11 years ago | (#6353548)

Funny, they don't seem to always know where to deliver so-called first-class mail ...
I suppose that was meant humorously, but there's a serious point here. It doesn't matter whether the PDF (they better find some other initials) accurately describes the person it's issued to. You can take it for granted their will be a high fraud rate -- as there already is in the domain registry records.

What's important is that the PDF is unique. Once it becomes clear that a PDF is associated with a spammer, the PDF will become useless, no matter who it claims to belong to.

Re:Who am I? (1)

jhunsake (81920) | about 11 years ago | (#6353605)

PDF is the file format of the document linked, you moron.

Re:Who am I? (1)

fm6 (162816) | about 11 years ago | (#6353889)

Duhhhhhhhhhhhh!

Re:Who am I? (0)

AceCaseOR (594637) | about 11 years ago | (#6353638)

Um... just so you know, PDF is referring to the document that's being linked to (as it's a PDF document). From the sounds of things, the acronym for this new service would be either IPP (In Person Proofing) or PIC (Personal Identity Certification).

Re:Who am I? (0)

Anonymous Coward | about 11 years ago | (#6353646)

The PDF was the format of the document, not an abbreviation for the name of the system.

email anonymity and spam (2, Insightful)

I Want GNU! (556631) | about 11 years ago | (#6353549)

This sounds potentially like a great method to prevent spam or at least to allow verified mail, but it still doesn't sound like a complete solution. One of the distinguishing characteristics of the Internet is that it allows people anonymity. If only emails with digital signatures are allowed then anonymous email won't get through. On the other hand, if verified email were possible, it would prevent false positives for spam and Bayesian filters could handle the rest of email. This way emails wouldn't be falsely designated as spam and everything would get through.

No postage due (1, Interesting)

poptones (653660) | about 11 years ago | (#6353749)

I doubt this will become the way. To begin with it's US-centric and the internet definitely ain't. So is everyone in the world supposed to get a number?

The other failing is it would be trivial to simply lie about the number - that is, if a number is required (just as an IP is now) then spammers will simply make one up. In order for a "valid" number to be required to traverse mail then every email would have to be authenticated through a central database. Thus, it's completely impractical as a means of reducing spam anywhere except the end user's mailbox. And we already have plenty of ways of doing that.

It IS useful, however, if you and I want to enter into a transaction without having to use the banking system. You send me merchandise, I send you cash - and if either of us defaults there is a reliable means of tracking the individual and holding them responsible. It's almost like a nationwide ebay ID in that "bad traders" can be reliably tracked and, therefore, blacklisted. On THAT level it's quite practical and, from the POV of one who refuses to use plastic, a welcome alternative.

Re:No postage due (0)

Anonymous Coward | about 11 years ago | (#6353903)

If your cert has been signed by a CA, all I need to verify it is a copy of that CA's public signing key (usually in a self-signed cert). That takes just one request (plus one extra each time the signing key expires, which is probably quarterly or annually) for an unlimited number of messages.

Re:email anonymity and spam (1)

k12linux (627320) | about 11 years ago | (#6353813)

If only emails with digital signatures are allowed then anonymous email won't get through.

A bunch of non-anonymous (there HAS to be a better real word for that) e-mail wouldn't get through either. I suspect that filtering out messages without certs will fail. This is primarily because, like me, most people won't bother to go and get a cert. There are too many people (again like me) who will have an "if they won't except unsigned e-mail, I will deal with another company" attitude.

Also, unless it's brain-dead simple, most of today's Internet users won't have a clue how to install or use their new certificate with their mail prog of choice anyhow.

Maybe this isn't being done for the obvious reasons. Seems to me that this might be the first step towards Internet voting for government elections. Or maybe I'm wrong and the USPS just sees it as another revenue stream.

Re:email anonymity and spam (1)

thrillseeker (518224) | about 11 years ago | (#6353904)

I suspect that filtering out messages without certs will fail. This is primarily because, like me, most people won't bother to go and get a cert.

They will when all their correspondents start bouncing their non-certed mail.

Seriously. (5, Funny)

American AC in Paris (230456) | about 11 years ago | (#6353552)

Funny, they don't seem to always know where to deliver so-called first-class mail ...

I hear ya there.

The USPS could learn a thing or two about accuracy and error-prevention from Slashdot.

fnord

Re:Seriously. (1)

leviramsey (248057) | about 11 years ago | (#6353597)

If Slashdot ran the post office, you'd receive four copies of the same letter or package, often on the same day.

Re:Seriously. (1)

Anonymous Cow herd (2036) | about 11 years ago | (#6353667)

If Slashdot ran the post office, you'd receive four copies of the same [...] package, often on the same day.

Sweet, where do I sign up? Time to order some memory through SlashMail :-)

Re:Seriously. (1)

DMDx86 (17373) | about 11 years ago | (#6353864)

hell with that.. I'm calling up Dell and ordering me a nice Xeon system... I'll have my Beowulf cluster in no time!

Re:Seriously. (4, Funny)

DMDx86 (17373) | about 11 years ago | (#6353709)

If Slashdot ran the post office, you'd receive four copies of the same letter or package, often on the same day.

Not only that, Michael would open your mail, insert spelling mistakes, and write [ed. note - no it isn't] by stuff in your letters

Certificates (5, Interesting)

KeyserDK (301544) | about 11 years ago | (#6353556)

I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.

Seems pretty secure to me.

The only thing it works for so far is tax stuff, and mail.

Re:Certificates (1)

KeyserDK (301544) | about 11 years ago | (#6353622)

Ofcourse i did not recieve it by email. It was 'delivered' via https

Re:Certificates (2, Informative)

NearlyHeadless (110901) | about 11 years ago | (#6353705)

I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.


Seems pretty secure to me.


That verifies your snail mail address, not your identity.

Re:Certificates (0)

Anonymous Coward | about 11 years ago | (#6353877)

Yes, but if we could cryptographically verify all snailmail addresses, we could reform the postal protocol to eliminate junk mail.

Ramifications (5, Insightful)

the_pointman (143482) | about 11 years ago | (#6353569)

The USPS' idea for certified proofing for digital signatures is in the right direction for securing financial transactions, helping to prevent spam (in the case of accepting emails only e-signed from registered people), but initiating such a project will bring the US closer to a National ID card.

By attaching services such as online tax refunds or filings, the public will be /required/ to register with the USPS in order to take advantage of the online filings with the IRS. Sure, but what if people just file in paper? Without a doubt, the government will then ad a fee to paper filings to encourage taxpapers (everyone) to register with the USPS service.

Let me see your papers, please!

Re:Ramifications (0)

Anonymous Coward | about 11 years ago | (#6353772)

You already have a national ID card - your SSN card.

Re:Ramifications (2)

NuttyBee (90438) | about 11 years ago | (#6353914)

The ramifications of an National ID card are that the benefits outweigh the downside. I get 6 credit reports a year (3 credit bureaus x 2 times a year) just to make sure that someone isn't opening up Visa cards in my name.

Why do I have to do this? Because the world we live in currently uses my SSN, mothers maiden name, and a computer generated FICO score to determine whether to insure me and extend credit. When this "credit info" is wrong, and so far I've found literally constant errors. It takes 6 months to resolve them.

And anyone can get credit info fairly easily. We absolutely need to implement a national ID system as a way of combatting identity theft and forgery. My SSN and Mothers Maiden Name is not a good security system.

Additionally, flagging everyone named "David Nelson" at the airport because the name is on a no fly list is equally ridiculous. Figure out which David Nelson is your problem and let the other 500 people with the same name go about their business.

The time has come for a National ID card and biometric identifiers for all. I'd rather hold the government responsible for verifying my identity than say Experian or Equifax who can't even figure out which credit cards I have but won't hesistate to generate an inaccurate score based on their wrong information.

great! (1)

Fux the Pengiun (686240) | about 11 years ago | (#6353570)

This sounds like a wonderful idea! It's about time the USPS got with the times. For too long they've been afraid of digital technology. Remember when they tried to put a tax on faxes in the 80's because they thought everybody was going to use those insteading of sending letters? It's that kind of short-sightedness that hurts the postal service's quality image as a whole.

The only thing that worries me is the oversight on this by Donald Rumfields. The USPS is actually a division of the US Department of Defense...kind of like how the Treasury department oversees the secret service. Does this mean, then, that the Bush administration would get to decide who does and doesn't get digital certificates? Also, what about big business interests? Bill Gates gives an awful lot of money to Bush, so what if he decided no Linux users could get these certs?

What are your thoughts, guys?

Cheers, FtP

Re:great! (3, Informative)

Ever Dubious (686307) | about 11 years ago | (#6353738)

Actually a division of the US DOD? Bullshit. From the USPS web site:

United States Postal Service

The Post Office Department was transformed into the United States Postal Service, an independent establishment of the executive branch of the Government of the United States. The mission of the Postal Service remained the same, as stated in Title 39 of the U.S. Code: "The Postal Service shall have as its basic function the obligation to provide postal services to bind the Nation together through the personal, educational, literary, and business correspondence of the people. It shall provide prompt, reliable, and efficient services to patrons in all areas and shall render postal services to all communities."

The new Postal Service officially began operations on July 1, 1971. At that time, the Postmaster General left the Cabinet, and the Postal Service received:

* Operational authority vested in a Board of Governors and Postal Service executive management, rather than in Congress.
* Authority to issue public bonds to finance postal buildings and mechanization.
* Direct collective bargaining between representatives of management and the unions.
* A new rate-setting procedure, built around an independent Postal Rate Commission.

Title 39, the Postal Reorganization Act, also vested direction of the powers of the Postal Service in an 11-member Board of Governors. Nine members (the Governors) are appointed by the President, by and with the advice and consent of the Senate. They serve staggered nine-year terms, and no more than five Governors may belong to the same political party. Governors are chosen to represent the public interest generally, may not represent specific interests using the Postal Service, and may be removed only for cause.

Re:great! (1)

jhunsake (81920) | about 11 years ago | (#6353778)

This is Slashdot, where we make up our facts (referring to the grandparent, of course).

Patriot Act Tie In (3, Interesting)

Fred IV (587429) | about 11 years ago | (#6353579)

2.1 Eligibility For a Certificate Authority (CA) to use IPP, the CA must incorporate the U.S. Postal Service In-Person Proofing Policy into their Certificate Policy. Conformance to the Postal policy includes: 1. Use of a Patriot Act compliant database vetting process to gain initial assurance of an applicant's identity before sending the applicant to the Postal Office for IPP.

Yay, more data to shove into the Patriot Act machine. What a bargin!

Home Security? (1)

Yxes (7776) | about 11 years ago | (#6353580)

I wonder what impact this will have our "Home Security" initivates. Will they make it mandatory that we turn in our a digitial signature and identify oursevles? America seems to be drawing nearer and nearer to a police state and I wonder what impact something of this nature will produce in the long run.

in bulgaria (2, Informative)

darp (181922) | about 11 years ago | (#6353582)

I saw this in Bulgaria. Few online banking sites require use of digital certificates and username/password. You have to go in person to one of the bank branches before you can get a digital certificate. Once having the certificate one can do a lot of things that we can;t here in US - online transfers, forex, etc

Re:in bulgaria (1)

jhunsake (81920) | about 11 years ago | (#6353654)

we can;t here in US - online transfers, forex, etc

I have several accounts with different banks here in the US. They all have online transfers.

USPS User Experience (5, Funny)

Anonymous Coward | about 11 years ago | (#6353589)

User enters post office. Waits 20 minutes in line. Gets to front of the line.

Agent: (slowly) May I help you?
User: I'd like to get a certified digital ID.
Agent: (slowly) Okay, please go to the back of the room and fill out form 2219. When you're done, please bring it back to the front.
User searches a while
User: Where's the form?!
Agent: (slowly) If it's not there, we're out. You can always call 1-800-ASK-USPS for more information.
User: But they told me to come here! You have to verify my ID!
Agent: (very slowly) I'm sorry, you'll have to speak to the manager. He's gone for the day. You'll have to come back Monday at 10 am.
User: AAAAIIIEEEEEEE!!!!! runs screaming from the post office

Yeah, this will be a big hit.

Like a PGP key signing party-- (2, Insightful)

ccmay (116316) | about 11 years ago | (#6353604)

Like a PGP key-signing party -- remember those? -- but without the party, and only a surly union-slug postal clerk instead of dozens of new and interesting techie friends. Too bad it never really caught on except as a way to check your open-source downloads.

I am concerned that what begins as a voluntary initiative will one day become quasi-mandatory, like carrying a driver's license.

-ccm

Re:Like a PGP key signing party-- (1)

crisco (4669) | about 11 years ago | (#6353760)

could I sign my PGP public key with the USPS one, creating a chain of trust?

That way I could continue to use the PGP/GPG tools and keys that I already have and add whatever level of trust available from the USPS.

I need a vacation... Oh! I'm starting one! :-) (4, Funny)

HarveyBirdman (627248) | about 11 years ago | (#6353606)

The United States Postal Service has announced that it will provide In-Person Proofing

I swear on my grandmother grave that I saw "In-Person Shooting" when I first read it.

A few less FPS games for me, I think. More Super Mario Sunshine and Animal Crossing for a while.

Well, I have a 5-day weekend ahead of me. You all play nice.

Uh-huh... (2, Insightful)

Angry Pixie (673895) | about 11 years ago | (#6353607)

So the digital certificate could be used to validate the mail I sent really came from me? Oh, I'd just attach the certificate to the email? Oh, there's a central repository where all the email addresses I might use can be linked to the certificate? Oh, how lovely... and who would this repository be available to? Only the government? Oh grand. Sign me up!

Re:Uh-huh... (2, Informative)

hbo (62590) | about 11 years ago | (#6353830)

No, the certificate authority would sign your personal certificate, just like they do now. The USPS would have an arrangement whereby they would prove that you are who the certificate says you are through a visit to your local Post Office. The central certificate repository would be at the CA.

The Big Brother aspect comes in the arrangement between the USPS and the CA. As noted above, the CA would be required to check your identity against a Patriot Act database before passing the request on to the Post Office. Reading between the lines, it would seem that information collected from you in your CSR might end up refreshing the data in the Patriot Act database. Combine that with the requirement that certificates expire after four years, and you have a mechanism to keep that national database current. All of this is good IT/database practice. But in the hands of the Government, it raises concerns.

Yes! (3, Funny)

fireboy1919 (257783) | about 11 years ago | (#6353610)

This is just what I've been looking for!
(start playing the sad story music, if you have any - Michael Jackson stuff will work real well here)
You see, I've had sort of an identity crisis - not really sure who I am. The post office can finally change that. They can authenticate me, and authenticate who I am. No more wandering willy-nilly.

(at this point please begin playing some patriotic music to get the full effect of the message)
With the post office as my guide, I will rise to the brink of a better tomorrow and boldly go forth to face my dreams because I am authenticated!

Thankyou, US post office. The world is in your debt.

couple of concerns... (3, Insightful)

tx_kanuck (667833) | about 11 years ago | (#6353612)

1) How well will this work with other authtication techniques? (ie. if other postal systems start this, will there be interoperability? If so, who coordinates this?)

2) How good is the procedure to replace a lost/stolen certificate?

3) What good is this for people not in the US?

4) If someone lives in the US, gets one of these, and then moves, can it still be updated/replaced?

5) I forget the other question.

Granted, I only skimmed the article, so I may have missed the answers, but still....

A good thing? (1)

Realistic_Dragon (655151) | about 11 years ago | (#6353637)

It depends - this offers a way to get common certification available (ala Paladium) using a government as the trusted body and not Microsoft. That's a step up, but still not perfect considering the ammount of fraud (welfare, SS etc) that people still seem to get away with on the gov'ts watch.

If they combine it with a decent PGP style web-of-trust implimentation and let the user decide what weighting he wants to give to trusts he has assigned and those that the USPS has assigned then this could be a killer digital signature implimentation.

Postal Workers (0, Flamebait)

jmorse (90107) | about 11 years ago | (#6353652)

All postal workers will be required to purchase one of the digital signature keys, allowing to verify their identity before reporting for work or going on a shooting rampage.

Re:Postal Workers (2, Funny)

Sloppy (14984) | about 11 years ago | (#6353850)

"Sorry, this AK47 is not registered to this user. Please call the Kalashnikov Corporation customer service hotline at 1-800-COMMUNISM and have a credit card ready..."

Too bad for the goatse guy. (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#6353655)

How could they authenticate him? [goatse.cx]

KGTO (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#6353686)

Anonymous Coward [slashdot.org] , it's all about the GOAT with you, isn't it?!!!

Am I missing something? (0, Interesting)

packethead (322873) | about 11 years ago | (#6353670)

Please tell me if I pulled a Rip Van Winkle here. But, when did the the USPS start controlling e-mail? Maybe I'm in the middle of some bizzar Owellian nightmare. Next thing you're going to tell me is that we've become a police state and a new Dept of the goverenment has been established to "watch" us.

Sheesh!

Hmmm, maybe they'd be able to find my house... (0)

shepd (155729) | about 11 years ago | (#6353671)

...and do it on time [slashdot.org] next time [slashdot.org] if I had a certificate. Then again, I don't know if I'd really want to give useless parcel service my name and number for a permanent database.

Argh... (1)

shepd (155729) | about 11 years ago | (#6353689)

Where's delete comment when you need it?

Must read titles more closely next time... Sorry.

IPP? (-1, Troll)

Anonymous Coward | about 11 years ago | (#6353680)

I poo poo! thank the sacred money gods (tm) that I don't live in that great country of ever diminishing freedoms, the effing US of A. Bush and his buddies are turning the US into a police state that will make nazi Germany look like kindergarten!

non-USA email (2, Insightful)

innocent_white_lamb (151825) | about 11 years ago | (#6353682)

Not all email that doesn't originate in the USA is spam. Using this as a spam filter would balkanize Internet email and make it "domestic USA mail only" for US residents, and available internationally only for those who live elsewhere.

Trust (0, Redundant)

m_niessner (529935) | about 11 years ago | (#6353701)

I can't trust that they can send a package without damagin/losing it. And now, I'm gonna trust them to properly identify people?

But the USPS won't issue the certs, correct? (4, Insightful)

Just Some Guy (3352) | about 11 years ago | (#6353719)

After reading the article (hey! There's a first for everything!), it seems as though the USPS will only be providing official ID verification to 3rd-party CAs who will use it to determine whether they, not USPS, will issue the cert. In other words, the USPS will only be vouching for you to the CA - they won't be authenticating you to the public at large.

Great. Just great. Now I get to deal with the Post Office and Verisign when I want to lock down an SSL site.

Please shoot me.

I hate X.509 (3, Insightful)

Sloppy (14984) | about 11 years ago | (#6353733)

Forget this X.509 crap, I want postmaster@usps.gov to sign my PGP key!

I hate X.509. It's cumbersome and weird (that extra 'cert request' step), while also being functionally lame (only one signature, and you have to either completely trust it or not). Why anyone would want to use that when there's something so much better available (OpenPGP), is beyond me.

Australia Post (2, Interesting)

Anonymous Coward | about 11 years ago | (#6353786)

Australia Post was looking at providing this service for it's "Gatekeeper" x.509 platform. It is also known as "RA" (registry Authority), and considering that Australia Post is already the "RA" for our passport applications - they would probably be the best suited too.

I don't think that X.509 has been "widely accepted by the community" yet... so I can't find any more details about it..

Re:Australia Post (2, Interesting)

ZenJabba1 (472792) | about 11 years ago | (#6353831)

Australia Post actually did issue X509 certificates, I still have the floppy disk. I think in the end they issues around 500 certificates because nobody was using them as nobody had the hardware needed to support the backend processing (AP wanted dedicated links in the backend servers to the ROOT cert).

It eventually failed and has never been heard from again. I do remember them sending me a email telling me it was going to be dismantled and I had 12 months more use of my certificate for free.

They also used physical presence ID checks, and I remember walking in my country post office and the postal person looking at me as if I had horns growing out of my head. I was the only person who ever approached him about getting the certificate to this day.

---

Isn't this simply a Class 3 X.509 cert? (1)

joeflies (529536) | about 11 years ago | (#6353843)

the definition for having people appear before issuing a cert has been around as long as there's been 3rd party CA's. However, a practical application to make it explode hasn't (most consumers still don't have a compelling reason to get any personal cert, except for the one they get in a smartcard). Frankly, there wasn't any reason for a consumer to get one because there was no compelling benefit

I would hazard to guess that the majority of consumer-level encrypted e-mail relies on PGP, not 3rd party-ca Issue certs. Thus, no uptake of certs for that reason. Most people probably don't even care if it's encrypted or not.

However, now that spam has become a major annoyance, and spoofed spam targeting best buy, paypal, and ebay users are causing fraud, there is perceived benefit from better secured e-mail services. If the USPS is successful is selling the benefit (i.e. certifiable, spam filtered mail), then perhaps we will start to see real adoption of 3rd party CA certs for consumers.

Oh goody! Now we can all get our MARK! (1, Interesting)

pair-a-noyd (594371) | about 11 years ago | (#6353863)

Just what we've all been waiting for, our government approved identity mark. [uspto.gov]
Tell us, will we be tattoed with it, and if so, will it be on the forehead or the right hand??

(http://patft.uspto.gov/netacgi/nph-Parser?Sect1 =P TO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.ht m&r=1&f=G&l=50&s1=5,878,155.WKU.&OS=PN/5,878,155&R S=PN/5,878,155)

If you don't believe it, go to the United States Patent Office website and search for APPROVED patent number 5,878,155
and or this, "Method for verifying human identity during electronic sale transactions"

But it SOLVES NOTHING! (0)

Anonymous Coward | about 11 years ago | (#6353900)

It doesn't stop ANY of the TRAFFIC caused by spam. It's a worthless "solution" in that regard.

Red Alert! (3, Interesting)

twitter (104583) | about 11 years ago | (#6353920)

A number of top quality private sector business have masterd the technology around the use of secure digital signatures...

Market droid talk. If they are so good why does the post office need to get into it? Other talk about "demand", "unique service opportunity" and trusted computing has my back up. It's all so Microsoft sounding. But that's just the beginning.

They are going to use "comercial database checking", and the databases must be "Patriot Act Compliant". While the commmercial database check looks like coroprate welfare, it the Patriot act part looks like a land grab. What, besides any old G-man clerk having the athority to look at all of your data, constitues Patriot Act Complience?

The authentication method is first class mail. and a file that dissapears in four years. I'm not going to think very hard about all the ways to defruad the post and defeat this system, but mail fraud is still a common problem. The dissapering file is the real clincher. What "top quality private sector bussines" has a patent on DRM OS and has been touting files that expire as a means to "trusted computing"?

Having a certificate athority is good. Using that need as a means to nationalize software, usurp private databases, funnel tax money into private hands and foce everyone to use propriatory software is not good. The system needs to be run on proven free and open standards in a non-revocable manner.

The USPO is going to have to do better than that to win my trust. I've got one Microsoft machine for talking to an old camera and a scanner. I don't let it see the internet because it's so easy to break and own. Any plan that would force me to use software I don't trust for ecommerce is a plan I don't trust or want.

Two years ago, some moron told me that the US government would make it illegal to run anything but Microsoft software. He actually thought this was a good idea and was convinced it would happen. I told him that would violate the first amendment rights to free speech, and effectivly nationalize general purpose computing and such laws were laughably unAmerican. I'm not laughing anymore.

Someone tell me I'm just paranoid, please.

In-Person Spoofing? (1)

mikeophile (647318) | about 11 years ago | (#6353924)

Seriously, I'm guessing a whole crowd of black hats read that story and went "Hurray!".

Old News, but Interesting (4, Interesting)

shiflett (151538) | about 11 years ago | (#6353931)

I was actually one of the developers of this project (three years ago), and it is funny to see that they are finally "announcing" it.

The idea is simple, and it is actually a useful service that the USPS has the resources to provide, if they actually go through with it. Whereas SSL only authenticates the server (among other things, of course), the allocations for client authentication in SSL are optional and very rarely used. All the client needs for this is its own digital certificate, just like the server has its certificate.

So, to get an SSL certificate, we (whether we like it or not) trust the various CAs to make certain that they are granted to the rightful owners. When it comes to client certificates, the scope of the problem becomes much larger, because you are authenticating people rather than domains. If you fail to properly identify someone before issuing the digital certificate, the point is lost.

The USPS has post offices all over the US (their only country of concern in this case), and this fact provides the perfect platform for authenticating people. Just as with Passports, you must prove your identity in person before being authenticated.

How do the pieces fit together? Well, it is fairly simple, but it involves a lot of existing systems, some of which are aging. You register online (providing much personal information, including what forms of ID you will be bringing with you). This generates a letter that is sent to your address (verifying your address in the process). You take this letter to the post office, and if you pass the in-person proofing, the clerk scans the barcode on the letter. This scan makes its way back to the system in about 24 hours, and then your digital certificate is generated. An email is sent to let you know, and you can then download it from the Web site after logging in.

At any rate, I still think the general idea is a good one, and this would be a useful service for a lot of people. I hope it is successful.

Don't blame just the USPS, geez (4, Informative)

EvilStein (414640) | about 11 years ago | (#6353934)

"Funny, they don't seem to always know where to deliver so-called first-class mail ..."

No, not very funny. Rather clueless. Did you know that the USPS has domestic airlines carrying mail?
I can't even count the times I've found stray (or lost) bags of mail in aircraft. One of my many job functions when I worked for a ground handling company was to make sure that mail for Anchorage actually got *on the right aircraft* and didn't wind up on a flight to Miami. We'd actually check behind the belly toolbox on that old nasty DC-8 looking for mail bags.
Ever seen a 55' truck back up to a DC-6? Yes, folks. Bulk loading 33,000lbs of mail into a friggin DC-6 bound for northern Alaska.

Sure, mail gets lost sometimes, but it's not always the fault of the USPS.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>