Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Security United States

USPS Providing Electronic Postmarks 164

isn't my name writes "Back in 2000, Clinton signed the ESIGN Legislation which set forth the requirements for making electronic signatures. But many questioned the weakness of its definitions that allowed an e-mail address to be used as an electronic signature. Well, it seems the USPS has come up with something stronger. They even have a Java and MS COM SDK's Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program. It seems that AuthentiDate is doing all the heavy lifting. According to the whitepaper on their site, it provides non-repudiation and legal timestamps of documentation by having the customer use a public-key to sign a hash of the document, which is then sent to AuthentiDate's servers which combine that with a timestamp and sign with their key. So, AuthentiDate does not have access to any of the data in the documentation. It sounds very similar to the free PGP Digital Timestamping Service, but it likely is more likely to be legally defensible in a US Court. They also have a new plug-in for MS Word documents. Interestingly, despite the mention of the SDK and it's ability to work with any documents, the only login setup I could find just allows you to use the MS Word version."
This discussion has been archived. No new comments can be posted.

USPS Providing Electronic Postmarks

Comments Filter:
  • Something Similiar (Score:5, Interesting)

    by Dark Paladin ( 116525 ) * <jhummel&johnhummel,net> on Friday January 16, 2004 @08:11AM (#7997032) Homepage
    I've been working on something similiar for another division of the US government.

    The biggest thing driving this are two issues:

    1. Government Paperwork Eliminiation Act - signed by Clinton, it basically tells the various agencies:
    1. "reduce paperwork by having forms available online".
    2. "When possible, have those forms electronically signed."

    The problem is that most government agencies, except maybe the IRS, and then in limited form, really don't have any kind of system set up for doing #2. They're getting pretty good at #1 (having documents available online), but #2 has been a challenge.

    The biggest challenge is initial setup. For the Department of Agriculture, you can do electronic signatures over the web. But first you must physically show up at one of their offices, validate your identify, and then you're good to go.

    That works all right for them, but suppose you're somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity which means having them show up at a local office (long lines and all). Then there's the issue of what system to use, validation procedures, how to keep Joe American from forgetting their password, and if they lose it, how do they get it back in a way that's secure and doesn't cost a lot of money?

    2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.

    Honest.

    So by having electronic signatures, they can reduce paperwork, install workflow systems so that when a document is digitally signed it can be forwarded right to the people who need to see it to be reviewed in minutes instead of days, without all the messy paper getting lost and so on.

    I'll probably be checking out the USPS's system to see what they do. If it's reasonable, secure, ensures privacy, and truly has an open API that would allow other agencies to develop systems based on it, it may be the electronic signature "standard" that some government agencies are looking for.

    Guess I'd better RTFA now ;).
    • Why does the USPS in this case have to authenticate each and every individual? It seems to be a timestamping service, which means they sign our documents' message digests. Doesn't this mean we have to authenticate the USPS (say as a stored trusted certificate in client software)? They don't need to care about the identity of each an every individual if they only want to say such a document existed at such a time and we verified it.
      • I am sorry. It may be that the USPS is also verifying the identity of the "customer" who is getting the document signed.
      • by isn't my name ( 514234 ) <slash.threenorth@com> on Friday January 16, 2004 @09:53AM (#7997657)
        In the protocol descriptions, the customer who wants to sign a document first produces a hash and signs that. That is sent to the USPS who combines it with a timestamp and then signs the whole thing.

        So, you can verify the persons signature and verify the time that it was submitted for an electronic postmark. Based on the language in their whitepaper, they are really looking at setting up a system that is as legally strong in court as a physical signed document.

        I do wonder about the fact that they are only keeping the verification data online for seven years, though.
        • They don't need verification data anyways. The fact that they signed the hash (combined with the embedded timestamp) is proof enough.

          But damn it, this pisses me off. The real issue here is being ignored. They are trying to patent this process. Does anyone else find this to be a blatantly obvious system. Almost a year ago I literally was thinking about why this exact system didn't already exist. This patent will be a big one if it goes through, I guarantee it.
    • somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity

      They've already given keys to everybody : it's called the SSN. [sarcasm]Surely if it's a valid enough proof of identity for banks, it's usable as a digital signature by the IRS. Right? Right?[/sarcasm]
    • by chefbb ( 691732 ) on Friday January 16, 2004 @08:45AM (#7997198)
      After perusing the white paper, it looks like the USPS solved this issue by having the user apply online for a digital certificate. Then they print out a form and authenticate themselves at a local post office, then they can download their DC. It's interesting that the post office is probably one of the few federal agencies capable of making this work, due to their presence in every community.

      The obvious breakdown with this is that someone could potentially gain access to a user's computer and steal their dc. What about Joe User who runs windows 98 and is unaware of his spyware? It's easily as secure as an old-fashioned signature, though. So maybe that's good enough.

      I have to say that it does look like the USPS thought things through rather well on this one. They made it as easy as possible while still focusing on security.
    • 2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.

      Honest.

      I suppose I believe you, but even assuming it really is true, the efforts of those trying to save can be completely wiped out by the minimal efforts of those few that don't give a damn.
      • 2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.

        Honest.
        I suppose I believe you, but even assuming it really is true, the efforts of those trying to save can be completely wiped out by the minimal efforts of those few that don't give a damn.


        Just like in the private sector.

        Unlike the private sector, at least in my experience, people in the public sector are there for reasons other than a large paycheck, so the signal to noise ratio is higher.
  • Word only irrelevant (Score:5, Interesting)

    by Esteanil ( 710082 ) on Friday January 16, 2004 @08:11AM (#7997034) Homepage Journal
    That it's word only ATM (as far as I also can find out from the site) is irrelevant... Well, nearly so. With the Java SDK any application from any OS appearently can easily be enhanced with their Electronic Postmark capabilities.
    What I'm wondering about is the "Nationwide reach and trust" point they list in "Benefits of EPM" [usps.com].
    Does the strong encryption make it illegal to use this for international communications?
    • Word Macros (Score:3, Interesting)

      by Anonymous Coward
      Actually Word is not suitable for the purpose anyway. A word document may contain macros and scripting which change the way the content is rendered *after* it is signed.

      So be very careful when you trust a digital signature on a word document, next week it may say something quite different...
      • Re:Word Macros (Score:2, Informative)

        by Esteanil ( 710082 )
        "only a hash code of the file is logged as evidence of authenticity." -About EPM [usps.com]

        Tampering by a macro or script would change the file, thereby making it incompatible with the hash, no?
        • "Wanishing ink" (Score:5, Interesting)

          by GQuon ( 643387 ) on Friday January 16, 2004 @09:27AM (#7997476) Journal
          Tampering by a macro or script would change the file, thereby making it incompatible with the hash, no?

          Not necessarlity. If you have a macro that re-writes the document, the hash would change, and the tampering would be caught.

          But: If you make a macro that doesn't change the contents of the file, but rather a macro that changes just the view, the hash would be the same.For example: You write a document that contains both correct and false information. Before a certain time, the correct information is shown. If you open the document after a specified date, the macro changes what is shown to the reader.

          For this wanishing ink to work
          - it must be possible to write such a macro.
          - the reader must trust all macros.
          - the reader must not be savvy enough to examine the raw word file.
          • -and must not check after the fact
            if I'm told i 'signed off on it' and it turns out to be inverted as to meaning, I can then check the raw file, evidence of what was displayed when I signed would be there, or again-- the hash fails the check.
            • The file itself doesn't change though - the hash will still match. Unless there's a way to copy from Word and paste into some hash-checking thing, in which case it'd work fine in Notepad too...
              • right, but if it came up as say, a legal matter as to what I digitally signed, the raw data will show what version I signed.. and that would be defense enough..

                scenario- someone creates such a document in my or another company, I read it, approve it, digitally sign it..
                two weeks later it displays that I did something VERY STUPID to appearances sake.. I look, I say, that's not what it said when I signed it, lets' check the raw data.. the op I responded to said that a person would have to be ignoran

                • OK. I understand what you're saying. However if the text two weeks later said something reasonable, but incorrect - say it was a report on some dollar figure, and the dollar figure was increased or decreased 25% - it'd be somewhat unlikely that someone would go through extra effort to verify that a macro did not change the data.

                  A cut-and-paste verification solution, say an executable you run on your desktop (so you don't transfer the data elsewhere), could probably take care of that problem, making it easi
            • by GQuon ( 643387 )
              Correct. It's covered by the "examine the raw word file" criterium.
    • Seems like the Authetidate technogoly is applicable to many document types. Their FAQ [authentidate.com] says: What does the system consider a document? A document is any file in any folder. AuthentiDate isn't restricted to working with a limited number of document extensions. Even documents without extensions can be AuthentiDated.

      But it does seems like the USPS's implementation that has only allows Microsoft Work Docs. Only for now I hope.

    • Does the strong encryption make it illegal to use this for international communications

      Good point, i'll research it and check back by tonight... Would be quite ironic if USPS was a "weapons exporter" via the downloads on its site :)
  • The EPM is designed to deter and detect any fraudulent tampering or altering of electronic data.

    Hell, they weren't even able to deliver the bubblewrapped hard-disk I sent in a triple-thickness FRAGILE-sticker-equipped box I overnighted to my business partner in one piece ...
  • by MrRTFM ( 740877 ) on Friday January 16, 2004 @08:14AM (#7997047) Journal
    I am sick and tired of having to FAX my damn signature around the place

    1. print the form
    2. sign it
    3. scan it
    4. fax it

    I mean, come on - how outdated is this method?
    If the Banks let us use online banking to transfer all our money around, surely a digital signature system can be built.

    But then, I am not an encryption expert so what do I know.
    • This may help you:

      1 - Open document in Gimp or PS
      2 - Sign it with your mouse (tricky) or your graphic tablet (well worth the investment, if only for this application)
      3 - print document to fax printer device
      • Or even better: just insert a previousely scanned photo of your signature. Or maybe it is not completely legal to not to actually use a real pen? ;)
      • What I have done is just create a small image with my signature and then paste that in. If you have a scanner available, probably more common then a graphic tablet, then scan one in and use that.
        Also this does point to one problem with accepting signatures, without a witness. It is far to easy for the person to claim it is a forgery. I have around 50 documents in various places and with various people that have the exact same signature; it would be extermly easy for me to claim that someone forged my si
      • I've tried the mouse signing trick and it looked terrible.

        and this is why I hate the current secure 'fax' method :
        Anyone can scan my signature and save it as a JPG and have a field day signing forms.

        Surely a secure website is a better validation method.

        (Dont mind me - I've had a personal vendetta against fax verification since 1996)

        • by Rosco P. Coltrane ( 209368 ) on Friday January 16, 2004 @08:54AM (#7997246)
          (Dont mind me - I've had a personal vendetta against fax verification since 1996)

          I'm with you right there.

          Anyway, it doesn't matter much, because since everybody requires people to sign this or that, signatures aren't worth crap anymore. For example, I signed someone else's $1200 credit card slip once (my boss', he had used his credit card to stick me in a hotel for 1 month on a business trip, but left before me, so I signed it myself when I checked out) : I didn't know his signature, so I just used mine. Totally and obviously not his name at all. Neither the hotel nor his bank never said anything at all. They only check if the account holder complains.
      • 2 - Sign it with your mouse (tricky) or your graphic tablet (well worth the investment, if only for this application)

        Alternately, sign on a white sheet of paper, scan it and keep it (secure). Just paste this "signature" onto the document. Voila!

    • I've always wondered what loony descided that faxing a signature was in any way secure. Possibly it was mildly secure when there were only fax machines and no computers with fax modems, scanners and editing software. (Although a literal cut'n'paste would still foil it back then.)

      I've got a contract that I have "sign" with this idiotic method today. Joy, but they're paying me so... Has "fax signing" stood up to any real test in court?

      As for this new method .. can't be worse.

  • That's a lot of keys (Score:5, Interesting)

    by MadSweeper ( 742042 ) on Friday January 16, 2004 @08:14AM (#7997051)
    My only comment to this is that fact that for it to really work each person who uses it will need a (public) key. In order for that to work you need to validate the users' identity.
    Does this mean that I will goto my local post office and sign-up, get I&A (Identification and Authentication) done and then get my key?
    Are the keys real public keys ie: PKIX and PKCS standards?
    • by Dark Paladin ( 116525 ) * <jhummel&johnhummel,net> on Friday January 16, 2004 @08:29AM (#7997120) Homepage
      Most likely, yes. If they do it right, you should fill out a form online, get some sort of number or perhaps a barcode print out, take it to a USPS center where they will validate you with a picture ID (Drivers license), then give you access to your keys, perhaps through a username/password combination.

      Why this way? Remember: lying to the post office is a Federal Offense, and can get you jail time. That's why they like the whole "make you show up" concept: it (should) keep people from being naughty, especially if they take the extra step and request a fingerprint or some other biometric that will scare the pants off of most would-be identity thieves.
      • As you say: If they do it right
        I have been dealing with PKI for 7 years now and still have not seen an implementation that would work on a large scale. It works in corporations where there aren't that many people.
        I suppose we should look at how different Revenue Departments do it. I know that there are countries that allow its citizens to submit their tax returns across the internet. However, many of these system don't use a real PKI.

        One of the questions that I have been strugling with is the usabil
        • I guess you didn't notice the recent GAO Report [gao.gov]which tells us that the DoD PKI has issued over 9 million certificates. I am not saying it works well, but it does work on large scale. Frankly PKI really isn't cost effective for smaller companies either. It is the larger companies and governments that benefit the most in my opinion. Reason: initial setup costs can be high, unless you are willing to outsource your security, a decision that I personally frown on (but that is another discussion).

          Another thi
      • by *weasel ( 174362 ) on Friday January 16, 2004 @09:08AM (#7997333)
        Biometrics don't actually scare the pants off identity thieves.

        Work for a bank some time, and note how casually and willingly people will be to put their fingerprint on a forged check. Not that you'll know when they try to pass it. Everything will be in order, everything will look right. They won't hesitate to hand you an ID and print.

        Then you'll hand them the cash, and a week later the branch will be kicking itself.

        maybe they realize that the fingerprint is useless (unless you have a criminal record, there's nothing they can compare it against, and they dont have the horsepower to perform a pre-transaction search through a national database).

        maybe they're dumb.

        who knows - but a biometric just doesn't bother them. It would however bother piles of citizen's groups, if the government were to start fingerprinting non criminals. well, that's how they'd spin it anyway. and maybe they'd have a point.

        what was slashdot's philosophic argument against DRM anyway? treating all your paying customers as potential criminals is bad business?
        • "who knows - but a biometric just doesn't bother them. It would however bother piles of citizen's groups, if the government were to start fingerprinting non criminals."

          "Start"? When I went to work for the USPS I had to give a complete set of prints as part of accepting the job. Dunno what they do with the cards -- I assumed they just filed it at NCIC with no adverse notations, but maybe the Postal Inspectors have their own prints repository.
  • Timing issues (Score:3, Interesting)

    by kjdames ( 588423 ) on Friday January 16, 2004 @08:16AM (#7997060)
    I think depending on a regulated email system like this to prove legal timestamping is foolish. Any number of things can delay an email - would you send your taxes by email five minutes before they were due? If a late timestamp meant a fine?
  • by manganese4 ( 726568 ) on Friday January 16, 2004 @08:16AM (#7997062)
    Is calling the service a postmark truly correct in the traditional use of the postal serivce? This just looks like a Government sponsered notary service.

    Now if we can get a true email version of registered mail where every server in the chain signs the message, that would be something useful
    • A notary is Govt sponsored too....just so you know. Actually, it makes lots of sense to have a certified email...If it registered and verified delivery to the server then it would be just like mail...remember meatspace mail is legal even if you don't take it from your mailbox...You're legally obligated to take it out and read it.
      • A notary is Govt sponsored too....just so you know. Actually, it makes lots of sense to have a certified email...If it registered and verified delivery to the server then it would be just like mail..

        Verifying delivery of email to a server isn't very meaningful if the server has spam filters that could potentially toss it. A real delivery verification process would require a user to digitally sign the return receipt.

        remember meatspace mail is legal even if you don't take it from your mailbox...You're
        • You are correct...but the system right now certifies that YOU send marked docuement....and it can be verified for tapmering. Wether the other party gets is another story. But the first important part is that Your identity is verified...for things like business contracts, order forms, tax returns, and the like...there's tons of petty paperwork that's part of multi-step processes getting mailed and faxed simply because they need "offical signatures".

          As far as mail, you are legally obligated to notices se

  • it provides non-repudiation and legal timestamps of documentation

    It gives a whole new meaning to the term "going postal" when you find out that authentic-looking digitally-signed Nigerian business proposition wasn't such a good deal after all ...
  • by wfberg ( 24378 ) on Friday January 16, 2004 @08:18AM (#7997068)
    You know, using such a service to put a date on your sourcecode is a good idea in case you ever end up having to prove when you first coded it (or at least, had it in your possesion); for example, if you need to go after a company stealing your code (GPL non-compliance) or if a company comes after you (SCO?).
    • You could also snail mail yourself a printout.
    • Great idea! Because you could "mail" the code directly to a a third party secure server and have some legal backup. Best of all, with a service like this it's finally possible to have an fully automated system, just like a nightly tape backup.

      OK...can I mail this post so this can't be patented out from under us?

      • Great idea! Because you could "mail" the code directly to a a third party secure server and have some legal backup.

        The timestamp only uses the hash -- which prevents your precious tradesecrets from leaking.

        OK...can I mail this post so this can't be patented out from under us?

        The PGP timestamping service [itconsult.co.uk] is ample prior art for the timestamping of hashes. But some random geek is more likely to be doubted in court than the USPS (or a tech savvy notary public for that matter), which is why it's good the
        • I was getting at an escrow service that you emailed your code [or other IP] to. With something like this one could start a company accepting and archiving the "certified" emails... It could be a plug-in service to just do a "save to archive" function. The server company would simply host the "mailbox" and you would use normal email to send the contents...very slick and trouble free. You'd have your personal archive of emails, and the hosting company would have a copy...verified by post. The point I'm ma
    • by Anonymous Coward
      There's probably a sourcecode escrow service like that somewhere (perhaps sourceforge?), or you can register it with the US copyright agency, whatever it's called (as a literary work).

      The WGA (Writer's Guild of America) lets you email in a file in whatever format, they timestamp it and will support you in court, let you download it whenever (as a backup).

      I believe it's free if you're a member, or ~50 US$ otherwise, but I'm not sure how long they keep it. At least 10 years, and I think more like 30 or 50.
    • by Anonymous Coward
      Umm, well, if you are worried about that, just register your code with the U.S. Copyright Office - that is the whole reason for the Copyright Office's existence - to register copyrights and provide legal recognition that every court MUST accept, that you registered copyright on something on a certain date (granted it doesn't prove you actually OWN the code you copyrighted - see e.g. groklaw.net articles about how both Novell and SCO claim to have registered the copyrights for ATT Unix with the copyright off
  • Now if USPS would get electronic efficiency, that would be quite a good new feature!!!!
  • Government waste (Score:3, Insightful)

    by nuggz ( 69912 ) on Friday January 16, 2004 @08:30AM (#7997129) Homepage
    Of course the USPS should sponsor a company to do this.
    Much better then just working with the existing projects.
    • Re:Government waste (Score:3, Informative)

      by kiwimate ( 458274 )
      Or they could license the technology from a company [silanis.com] who's got some experience in doing this. I don't know how long Silanis has been doing this, but I first came across their digital signature software in 2000, so they ought to know something about the thing. Their web site [silanis.com] claims:

      Compliance with federal and state legislation and industry regulations, including the ESIGN Act, UCC, UETA and the FDA's 21 CFR Part 11
    • the site is "powered by" Authentidate [authentidate.com]. At 80 cents for each (25 min), who do I have to bribe to get that contract!
  • I couldn't find any price quote for the SDK: just a contact. I'm assuming with the USPS' budget problems, that they'll charge for this.
    Does anyone know if they're charging and how much?
  • Too expensive (Score:5, Interesting)

    by kindofblue ( 308225 ) on Friday January 16, 2004 @08:38AM (#7997158)
    For what the timstamping service actually does, it costs way, way, way too much. It cost 80 cents per email, 10 cents in bulk. This is super trivial; it should cost 1 or 2 cents, and yahoo mail or hotmail could do it for free. I don't see what Authentidate offers, other than a countersignature with a private key, timeserver, and a hash.

    And of course, there is a free PGP timestamping service, but unfortunately, that does not have the backing of the USPS.

    Anyone know of something similar that is cheap?

    • Re:Too expensive (Score:2, Informative)

      by chefbb ( 691732 )
      Authentidate gives the hash/timestamp the creedence of a 3rd party witness. They keep track of your hash and assign your stamp. I agree that if the purpose was to simply timestamp or a signature, it would be overkill. For documents where proving "who, what and when" are absolutely necessary, you need an unbiased (i know, it's the gov't) 3rd party.
    • I believe the price of filing your taxes online has been dropping each year. Is it possible they are using the fees to offset some of the initial setup/development/research costs? And with time, it'll drop to more reasonable levels?

      Just ignore the whole issue of less people using snail mail and the solution being to raise stamp prices. :)

    • The "bulk" pricing for 10 cents is 100,000 units (that's ONE MILLION DOLLARS), and they expire in one year. Also it would seem that you can buy "just one" for your taxes. You need to buy 25 of them at least, and if you need a 26th, bing, you'll need to buy 25 more. The whole thing stinks.
    • For what the timstamping service actually does, it costs way, way, way too much. It cost 80 cents per email, 10 cents in bulk. This is super trivial; it should cost 1 or 2 cents, and yahoo mail or hotmail could do it for free. I don't see what Authentidate offers, other than a countersignature with a private key, timeserver, and a hash.

      Some documents are more important than $0.80 and are being received by parties who respect USPS more than PGP. Unjust? maybe. True? probably.
    • Hell, I thought Authentidate was a dating service that guaranteed the gender of your potential date.
  • by j_dot_bomb ( 560211 ) on Friday January 16, 2004 @08:41AM (#7997174)
    Want to do this now as an end user ?
    go to http://www.getstamped.com/
  • by atcurtis ( 191512 ) on Friday January 16, 2004 @08:44AM (#7997193) Homepage Journal
    I know that a lot of people reading /. hates copyrights and patents... but of these digital postmarks stand up in court, they can be of great benefit to individuals and small entrprenurs in their efforts to compete with 'the big guys'

    People can publish their ideas, essays, music on the internet complete with a copy of the digital postmark, and should a big fish try to patent or claim copyright or patent on the material, the small-time individual can point at the digital postmask and prove their ownership.

    I personally would support this... I would love to be able to share some of the ideas I have - but I do not want someone else to come along and try to patent them or claim that it was their's first. Such a digital postmark would give me the confidence to share ... and possibly give others the confidence to share their creations.

    Just my 2cents worth.
    • My boss's boss, a lawyer, wants to know if authentication proves beyond any legal doubt that my e-signature is really me. I think that he has studied e-signatures to a lesser degree. Any legal experts out there who would care to comment?
      • My boss's boss, a lawyer, wants to know if authentication proves beyond any legal doubt that my e-signature is really me.

        In other words, is an e-signature the equivalent of a handwritten signature (weak) or the equivalent of a witnessed/notarized signature (strong)?

  • Adobe coming (Score:3, Informative)

    by Groo Wanderer ( 180806 ) <charlie&semiaccurate,com> on Friday January 16, 2004 @08:50AM (#7997217) Homepage
    I talked to the PR people and a hardcore tech from the company at Comdex. I bitched them out about the MS only, and used the usual arguements. One of the things they said was that linux support was on the list, and more importantly, the next version of Adobe products would support thier tech. I know Acrobat was on the list, but I don't remember if the rest of their programs were.

    I guess it is time to start writing all those people I got cards from at Comdex and write an article on this :).

    -Charlie
  • by Anonymous Coward on Friday January 16, 2004 @09:07AM (#7997322)
    Instead of making clients use java...this should be a simple webservice. Submit a document, get back timestamped document. That way you could do it from pretty much any platform.
    • I don't think that is ever the intention for them to ever handle your documents, from the site:

      Data stays private. Service never has access to your content and requires no modification or transmission of content. (only a hash code of the file is logged as evidence of authenticity.)

      However, from what I see you need to sign into the website and upload you hashcode for registration, and that would be a good function for webservices (and micropayments or microcharges!). On another note the Java SDK seem li

  • but it likely is more likely

    now just how likely is that ????
  • <TinHat>
    This is just one step closer for the postal service to be able to charge for each e-mail sent (at least those that are signed). Guess it's not an urban legend for much longer!
    </TinHat>

    • Only the ones you want signed. If you don't care about authenticity, send as many as you want for free, and don't bother the USPS about it.

      If it's absolutely, vitally important that the recipient know that YOU are the sender, pay the $0.80 for the e-stamp and you're off.
  • This might be a little hypersensitive but I feel a little nervous about putting this signature system in the hands of a company with no proof that the code nor the process is secure. I know OS code is not flawless but at least it can be peer reviewed. Also, what if the company goes out of business. I have no problem with a company managing the sinatures, but I am just a little apprehensive about betting only on the future of a company. Also, this does not seem even a little bit innovative. Essentially
  • by sufehmi ( 134793 ) <.sufehmi. .at. .gmail.com.> on Friday January 16, 2004 @09:30AM (#7997493) Homepage Journal
    In UK, the move to digital signature was pioneered by Inland Revenue (IRS for Americans). The Government's Gateway [gateway.gov.uk] provides the digital certificate, which then can be used to digitally sign online forms.

    However there were concerns that the implementation is too proprietary, risking dependence to few vendors. Considering what the Gateway's doing, I think these concerns are valid.

    There were also little silliness along the way, such as the 50 poundsterling discount by Inland revenue (IRS for Americans) if you submit your tax online and sign it with your certificate BUT the certificate itself cost 50 poundsterling as well, etc.

    But I haven't followed it for quite a while now, hopefully things are better now.
    • Oh yeah, they're also too Microsoft-centric for now, for example the certificate (from Chambersign or Equifax) currently doesn't work on Macintosh. No word about how it is on Linux.

      Does that means that basically the UK government is telling its citizen to use Microsoft products ? A company already judged as a monopoly in USA ?

      I wonder how it is with the USPS' implementation ?
  • by Betabug ( 58015 ) on Friday January 16, 2004 @09:50AM (#7997637) Homepage

    There is an article by PGP Corporations CTO [pgp.com] Jon Callas about it. His tagline is "Do we need another version of digital timestamps?"

    What he has to say looks like plain common sense to me:

    • requires Windows xP/Office 2003 - expensive
    • requires purchasing a certificate, which is not really necessary for a timestamping service
    • the price seems high

    His conclusion: "To me, this seems like a solution in search of a problem." He even mentions open standard file formats. Nice read.

  • ZapMail [doxpara.com], except this time it being legal comes from a digital signature AND a money trail, instead of just a money trail. It didn't work before, so I'm skeptical.
  • Linux Version? (Score:2, Insightful)

    by gsperling ( 625206 ) *
    And how long before a Linux version and applicable plug-in is available for OpenOffice.org? I mean, I'd love to be able to take advantage of this type of technology, but until it's ported to Linux, it's of no use to me!

  • It's bad enough that the signature system only works with Microsoft Office, but it doesn't look like it supports Office on the Macintosh--it would appear that people don't even have to pay lip service toward supporting more than the MSFT hegemony.
  • Talking about USPS, whatever happened to the certificate service they once started?

    USPS delivers a digital, signature-certified mail system [infoworld.com]

    It is no where to be found in usps.gov anymore.

  • Why did they come up with something new that requires special SDKs and probably uses a new file format, instead of just using OpenPGP?
  • Can somebody explain to me how a Microsoft Advertisement landed itself on a Government website (https://www.uspsepm.com/epm/epm_office_ext/index. htm)? The domain is owned by the USPS. Am I missing something here? I was under the impression that commercial advertising was not permitted on government help domains...
  • The scariest thing: (Score:3, Interesting)

    by Pig Hogger ( 10379 ) <.moc.liamg. .ta. .reggoh.gip.> on Friday January 16, 2004 @01:06PM (#7999943) Journal
    Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program.
    Scariest shit is that spammers may start to send EPMed spams that it would be CRIMINAL to block.

    No more blocklists a la SPEWS...

  • Sun could easily gain a huge advantage for StarOffice (over Microsoft Office) by offering this feature for free in StarOffice. It should be easy to develop and very cheap to provide.

    Perhaps a simple timestamp/hash version could be included in the free OpenOffice, with a more advanced certificate based or user-ID authenticated option in StarOffice.

    This would also be perfect for Adobe to offer for Acrobat PDF files.

    If free and non-proprietary, it would quickly become a popular standard, and perhaps THE st
  • GPGNotary 1.0 (Score:2, Informative)

    by todu ( 560148 )
    I once had a very similar idea and developed a working perlscript implementation. But I never had the time to release it officially. So if someone is interested in a free (as in freedom aswell as gratis) timestamping service you may download my package from the below link and email me comments:

    http://bokstavera2.sourceforge.net/GPGNotary-1_0.t ar.gz
    (remove the space in the link).

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...