USPS Providing Electronic Postmarks 164
isn't my name writes "Back in 2000, Clinton signed the ESIGN Legislation which set forth the requirements for making electronic signatures. But many questioned the weakness of its definitions that allowed an e-mail address to be used as an electronic signature. Well, it seems the USPS has come up with something stronger. They even have a Java and MS COM SDK's Apparently, the USPS feels that the strong legal protections against interfering with the US mail will apply to the EPM program. It seems that AuthentiDate is doing all the heavy lifting. According to the whitepaper on their site, it provides non-repudiation and legal timestamps of documentation by having the customer use a public-key to sign a hash of the document, which is then sent to AuthentiDate's servers which combine that with a timestamp and sign with their key. So, AuthentiDate does not have access to any of the data in the documentation. It sounds very similar to the free PGP Digital Timestamping Service, but it likely is more likely to be legally defensible in a US Court. They also have a new plug-in for MS Word documents. Interestingly, despite the mention of the SDK and it's ability to work with any documents, the only login setup I could find just allows you to use the MS Word version."
Something Similiar (Score:5, Interesting)
The biggest thing driving this are two issues:
1. Government Paperwork Eliminiation Act - signed by Clinton, it basically tells the various agencies:
1. "reduce paperwork by having forms available online".
2. "When possible, have those forms electronically signed."
The problem is that most government agencies, except maybe the IRS, and then in limited form, really don't have any kind of system set up for doing #2. They're getting pretty good at #1 (having documents available online), but #2 has been a challenge.
The biggest challenge is initial setup. For the Department of Agriculture, you can do electronic signatures over the web. But first you must physically show up at one of their offices, validate your identify, and then you're good to go.
That works all right for them, but suppose you're somebody like the IRS, with around, oh, 200 million "clients". Now you have to process them all, validate their identity which means having them show up at a local office (long lines and all). Then there's the issue of what system to use, validation procedures, how to keep Joe American from forgetting their password, and if they lose it, how do they get it back in a way that's secure and doesn't cost a lot of money?
2. Money. Believe it or not, most people in government agencies really want to save money, not spend all of it.
Honest.
So by having electronic signatures, they can reduce paperwork, install workflow systems so that when a document is digitally signed it can be forwarded right to the people who need to see it to be reviewed in minutes instead of days, without all the messy paper getting lost and so on.
I'll probably be checking out the USPS's system to see what they do. If it's reasonable, secure, ensures privacy, and truly has an open API that would allow other agencies to develop systems based on it, it may be the electronic signature "standard" that some government agencies are looking for.
Guess I'd better RTFA now
Re:Something Similiar (Score:2)
Re:Something Similiar (Score:2)
Signing as well as timestamping (Score:5, Interesting)
So, you can verify the persons signature and verify the time that it was submitted for an electronic postmark. Based on the language in their whitepaper, they are really looking at setting up a system that is as legally strong in court as a physical signed document.
I do wonder about the fact that they are only keeping the verification data online for seven years, though.
Re:Signing as well as timestamping (Score:2)
But damn it, this pisses me off. The real issue here is being ignored. They are trying to patent this process. Does anyone else find this to be a blatantly obvious system. Almost a year ago I literally was thinking about why this exact system didn't already exist. This patent will be a big one if it goes through, I guarantee it.
Re:They should patent it! (Score:2)
Re:Signing as well as timestamping (Score:2)
Re:Something Similiar (Score:2, Insightful)
They've already given keys to everybody : it's called the SSN. [sarcasm]Surely if it's a valid enough proof of identity for banks, it's usable as a digital signature by the IRS. Right? Right?[/sarcasm]
Re:Something Similiar (Score:5, Insightful)
The obvious breakdown with this is that someone could potentially gain access to a user's computer and steal their dc. What about Joe User who runs windows 98 and is unaware of his spyware? It's easily as secure as an old-fashioned signature, though. So maybe that's good enough.
I have to say that it does look like the USPS thought things through rather well on this one. They made it as easy as possible while still focusing on security.
Re:Something Similiar (Score:4, Informative)
The aren't allowed to keep all of their profits either though. In years they make too much money the federal government takes most of it for general revenue. Additionally the USPS has to comply with all kinds of draconian rules set by Congress (see Franking privileges).
So you see they aren't privatized, their leadership is federally appointed and the workers federal employees but the USPS is not completely integrated into the federal government (like..say..the Park Service).
Re:Something Similiar (Score:2)
Honest.
I suppose I believe you, but even assuming it really is true, the efforts of those trying to save can be completely wiped out by the minimal efforts of those few that don't give a damn.
Re:Something Similiar (Score:2)
Honest.
I suppose I believe you, but even assuming it really is true, the efforts of those trying to save can be completely wiped out by the minimal efforts of those few that don't give a damn.
Just like in the private sector.
Unlike the private sector, at least in my experience, people in the public sector are there for reasons other than a large paycheck, so the signal to noise ratio is higher.
Word only irrelevant (Score:5, Interesting)
What I'm wondering about is the "Nationwide reach and trust" point they list in "Benefits of EPM" [usps.com].
Does the strong encryption make it illegal to use this for international communications?
Word Macros (Score:3, Interesting)
So be very careful when you trust a digital signature on a word document, next week it may say something quite different...
Re:Word Macros (Score:2, Informative)
Tampering by a macro or script would change the file, thereby making it incompatible with the hash, no?
"Wanishing ink" (Score:5, Interesting)
Not necessarlity. If you have a macro that re-writes the document, the hash would change, and the tampering would be caught.
But: If you make a macro that doesn't change the contents of the file, but rather a macro that changes just the view, the hash would be the same.For example: You write a document that contains both correct and false information. Before a certain time, the correct information is shown. If you open the document after a specified date, the macro changes what is shown to the reader.
For this wanishing ink to work
- it must be possible to write such a macro.
- the reader must trust all macros.
- the reader must not be savvy enough to examine the raw word file.
Re:"Wanishing ink" (Score:3, Insightful)
if I'm told i 'signed off on it' and it turns out to be inverted as to meaning, I can then check the raw file, evidence of what was displayed when I signed would be there, or again-- the hash fails the check.
Re:"Wanishing ink" (Score:2)
Re:"Wanishing ink" (Score:2)
scenario- someone creates such a document in my or another company, I read it, approve it, digitally sign it..
two weeks later it displays that I did something VERY STUPID to appearances sake.. I look, I say, that's not what it said when I signed it, lets' check the raw data.. the op I responded to said that a person would have to be ignoran
Re:"Wanishing ink" (Score:2)
A cut-and-paste verification solution, say an executable you run on your desktop (so you don't transfer the data elsewhere), could probably take care of that problem, making it easi
Right (Score:2)
Re:Word only irrelevant (except for USPS?) (Score:1)
But it does seems like the USPS's implementation that has only allows Microsoft Work Docs. Only for now I hope.
Re:Word only irrelevant (Score:3, Interesting)
Good point, i'll research it and check back by tonight... Would be quite ironic if USPS was a "weapons exporter" via the downloads on its site
USPS to protect my data? (Score:2, Funny)
Hell, they weren't even able to deliver the bubblewrapped hard-disk I sent in a triple-thickness FRAGILE-sticker-equipped box I overnighted to my business partner in one piece
The sooner they get this working the better... (Score:5, Interesting)
1. print the form
2. sign it
3. scan it
4. fax it
I mean, come on - how outdated is this method?
If the Banks let us use online banking to transfer all our money around, surely a digital signature system can be built.
But then, I am not an encryption expert so what do I know.
Re:The sooner they get this working the better... (Score:3, Interesting)
1 - Open document in Gimp or PS
2 - Sign it with your mouse (tricky) or your graphic tablet (well worth the investment, if only for this application)
3 - print document to fax printer device
Re:The sooner they get this working the better... (Score:2, Interesting)
Re:The sooner they get this working the better... (Score:2, Insightful)
Do you think the guy who signs paycheck in big companies actually uses a pen? or the guy at CompUSA responsible for signing all those mail-in rebates checks ?
As for the guy who receives your fax, unless you slap a 5x5 GIF of your signature on the hi-def document, he'll be hard pressed to know it's not actually written then faxed.
Re:The sooner they get this working the better... (Score:2, Informative)
Re:The sooner they get this working the better... (Score:2)
Also this does point to one problem with accepting signatures, without a witness. It is far to easy for the person to claim it is a forgery. I have around 50 documents in various places and with various people that have the exact same signature; it would be extermly easy for me to claim that someone forged my si
Re:The sooner they get this working the better... (Score:1)
and this is why I hate the current secure 'fax' method
Anyone can scan my signature and save it as a JPG and have a field day signing forms.
Surely a secure website is a better validation method.
(Dont mind me - I've had a personal vendetta against fax verification since 1996)
Re:The sooner they get this working the better... (Score:5, Interesting)
I'm with you right there.
Anyway, it doesn't matter much, because since everybody requires people to sign this or that, signatures aren't worth crap anymore. For example, I signed someone else's $1200 credit card slip once (my boss', he had used his credit card to stick me in a hotel for 1 month on a business trip, but left before me, so I signed it myself when I checked out) : I didn't know his signature, so I just used mine. Totally and obviously not his name at all. Neither the hotel nor his bank never said anything at all. They only check if the account holder complains.
Re:The sooner they get this working the better... (Score:2)
Alternately, sign on a white sheet of paper, scan it and keep it (secure). Just paste this "signature" onto the document. Voila!
Re:The sooner they get this working the better... (Score:3, Interesting)
I've got a contract that I have "sign" with this idiotic method today. Joy, but they're paying me so... Has "fax signing" stood up to any real test in court?
As for this new method .. can't be worse.
Re:The sooner they get this working the better... (Score:2, Interesting)
That's a lot of keys (Score:5, Interesting)
Does this mean that I will goto my local post office and sign-up, get I&A (Identification and Authentication) done and then get my key?
Are the keys real public keys ie: PKIX and PKCS standards?
Re:That's a lot of keys (Score:4, Interesting)
Why this way? Remember: lying to the post office is a Federal Offense, and can get you jail time. That's why they like the whole "make you show up" concept: it (should) keep people from being naughty, especially if they take the extra step and request a fingerprint or some other biometric that will scare the pants off of most would-be identity thieves.
Re:That's a lot of keys (Score:3, Interesting)
I have been dealing with PKI for 7 years now and still have not seen an implementation that would work on a large scale. It works in corporations where there aren't that many people.
I suppose we should look at how different Revenue Departments do it. I know that there are countries that allow its citizens to submit their tax returns across the internet. However, many of these system don't use a real PKI.
One of the questions that I have been strugling with is the usabil
Re:That's a lot of keys (Score:2)
Another thi
Re:That's a lot of keys (Score:5, Insightful)
Work for a bank some time, and note how casually and willingly people will be to put their fingerprint on a forged check. Not that you'll know when they try to pass it. Everything will be in order, everything will look right. They won't hesitate to hand you an ID and print.
Then you'll hand them the cash, and a week later the branch will be kicking itself.
maybe they realize that the fingerprint is useless (unless you have a criminal record, there's nothing they can compare it against, and they dont have the horsepower to perform a pre-transaction search through a national database).
maybe they're dumb.
who knows - but a biometric just doesn't bother them. It would however bother piles of citizen's groups, if the government were to start fingerprinting non criminals. well, that's how they'd spin it anyway. and maybe they'd have a point.
what was slashdot's philosophic argument against DRM anyway? treating all your paying customers as potential criminals is bad business?
Re:That's a lot of keys (Score:2)
"Start"? When I went to work for the USPS I had to give a complete set of prints as part of accepting the job. Dunno what they do with the cards -- I assumed they just filed it at NCIC with no adverse notations, but maybe the Postal Inspectors have their own prints repository.
fair enough (Score:2)
that this sort of mechanism annoys and risks alienating honest customers, provides little tangible deterrant to actual criminals, and yet costs significant amounts of money to implement and maintain.
We had a terminology gap
Timing issues (Score:3, Interesting)
Re:Timing issues (Score:5, Funny)
Simple: chose a USPS signature server located on the west coast
Is it really a postmark? (Score:3, Insightful)
Now if we can get a true email version of registered mail where every server in the chain signs the message, that would be something useful
Re:Is it really a postmark? (Score:2)
Re:Is it really a postmark? (Score:2)
Verifying delivery of email to a server isn't very meaningful if the server has spam filters that could potentially toss it. A real delivery verification process would require a user to digitally sign the return receipt.
remember meatspace mail is legal even if you don't take it from your mailbox...You're
Re:Is it really a postmark? (Score:2)
As far as mail, you are legally obligated to notices se
Digitally signed crap documents are still crap (Score:2)
It gives a whole new meaning to the term "going postal" when you find out that authentic-looking digitally-signed Nigerian business proposition wasn't such a good deal after all
Registering your code.. (Score:5, Interesting)
Re:Registering your code.. (Score:2, Insightful)
Re:Registering your code.. (Score:2)
OK...can I mail this post so this can't be patented out from under us?
Re:Registering your code.. (Score:2)
The timestamp only uses the hash -- which prevents your precious tradesecrets from leaking.
OK...can I mail this post so this can't be patented out from under us?
The PGP timestamping service [itconsult.co.uk] is ample prior art for the timestamping of hashes. But some random geek is more likely to be doubted in court than the USPS (or a tech savvy notary public for that matter), which is why it's good the
Re:Registering your code.. (Score:2)
Already exists - kinda (Score:1, Interesting)
The WGA (Writer's Guild of America) lets you email in a file in whatever format, they timestamp it and will support you in court, let you download it whenever (as a backup).
I believe it's free if you're a member, or ~50 US$ otherwise, but I'm not sure how long they keep it. At least 10 years, and I think more like 30 or 50.
Err. . . copyright registration (Score:2, Informative)
That's good, but... (Score:1)
Government waste (Score:3, Insightful)
Much better then just working with the existing projects.
Re:Government waste (Score:3, Informative)
Compliance with federal and state legislation and industry regulations, including the ESIGN Act, UCC, UETA and the FDA's 21 CFR Part 11
Re:Government waste - they do! (Score:2)
SDK ... Free? (Score:2, Interesting)
Does anyone know if they're charging and how much?
SDK Download Request Location (Score:4, Informative)
And here is the link for pricing [uspsepm.com]. Note, I was told that the introductory pricing period has passed and I was also told that the entire website was due for an update in the next week or two. Had I known that when I submitted the Slashdot article, I would have waited a bit. Maybe a good slashdotting will get a redesign that can handle a heavy load.
Re:SDK Download Request Location (Score:2)
Re:SDK ... Free? (Score:2)
Too expensive (Score:5, Interesting)
And of course, there is a free PGP timestamping service, but unfortunately, that does not have the backing of the USPS.
Anyone know of something similar that is cheap?
Re:Too expensive (Score:2, Informative)
Re:Too expensive (Score:2)
I believe the price of filing your taxes online has been dropping each year. Is it possible they are using the fees to offset some of the initial setup/development/research costs? And with time, it'll drop to more reasonable levels?
Just ignore the whole issue of less people using snail mail and the solution being to raise stamp prices. :)
Re:Too expensive (Score:2)
Re:Too expensive (Score:2)
Re:Too expensive (Score:2)
Some documents are more important than $0.80 and are being received by parties who respect USPS more than PGP. Unjust? maybe. True? probably.
Authentidate (Score:2)
Want to do this now as an end user ? (Score:4, Informative)
go to http://www.getstamped.com/
Copyrights and "proof of prior method" (Score:5, Interesting)
People can publish their ideas, essays, music on the internet complete with a copy of the digital postmark, and should a big fish try to patent or claim copyright or patent on the material, the small-time individual can point at the digital postmask and prove their ownership.
I personally would support this... I would love to be able to share some of the ideas I have - but I do not want someone else to come along and try to patent them or claim that it was their's first. Such a digital postmark would give me the confidence to share
Just my 2cents worth.
Re:Copyrights and "proof of prior method" (Score:1)
Re:Copyrights and "proof of prior method" (Score:2)
In other words, is an e-signature the equivalent of a handwritten signature (weak) or the equivalent of a witnessed/notarized signature (strong)?
Adobe coming (Score:3, Informative)
I guess it is time to start writing all those people I got cards from at Comdex and write an article on this
-Charlie
How bout a webservice (Score:3, Insightful)
Re:How bout a webservice (Score:3, Interesting)
However, from what I see you need to sign into the website and upload you hashcode for registration, and that would be a good function for webservices (and micropayments or microcharges!). On another note the Java SDK seem li
Link to request Java SDK (Score:2, Informative)
https://www.uspsepm.com/crm/sdkRegister.adate [uspsepm.com]
but it likely is more likely (Score:1)
now just how likely is that ????
No longer an urban legend! (Score:2)
This is just one step closer for the postal service to be able to charge for each e-mail sent (at least those that are signed). Guess it's not an urban legend for much longer!
</TinHat>
Re:No longer an urban legend! (Score:2)
If it's absolutely, vitally important that the recipient know that YOU are the sender, pay the $0.80 for the e-stamp and you're off.
is it public or open source? (Score:2, Insightful)
Digital signature implementation in UK (Score:3, Interesting)
However there were concerns that the implementation is too proprietary, risking dependence to few vendors. Considering what the Gateway's doing, I think these concerns are valid.
There were also little silliness along the way, such as the 50 poundsterling discount by Inland revenue (IRS for Americans) if you submit your tax online and sign it with your certificate BUT the certificate itself cost 50 poundsterling as well, etc.
But I haven't followed it for quite a while now, hopefully things are better now.
Re:Digital signature implementation in UK (Score:1)
Does that means that basically the UK government is telling its citizen to use Microsoft products ? A company already judged as a monopoly in USA ?
I wonder how it is with the USPS' implementation ?
What PGP Corporation has to say about it (Score:5, Informative)
There is an article by PGP Corporations CTO [pgp.com] Jon Callas about it. His tagline is "Do we need another version of digital timestamps?"
What he has to say looks like plain common sense to me:
His conclusion: "To me, this seems like a solution in search of a problem." He even mentions open standard file formats. Nice read.
Reminds me of something . . . . (Score:2)
Linux Version? (Score:2, Insightful)
Office for Mac? Anyone? Bueller? (Score:2)
It's bad enough that the signature system only works with Microsoft Office, but it doesn't look like it supports Office on the Macintosh--it would appear that people don't even have to pay lip service toward supporting more than the MSFT hegemony.
What happened to certified email? (Score:2, Informative)
USPS delivers a digital, signature-certified mail system [infoworld.com]
It is no where to be found in usps.gov anymore.
Re:What happened to certified email? (Score:2)
Uh, you mean this [usps.com]?
Reinventing the wheel, should have used OpenPGP (Score:2)
USPS - Gov't or Microsoft? (Score:2, Interesting)
The scariest thing: (Score:3, Interesting)
No more blocklists a la SPEWS...
This should be free in Star/OpenOffice or PDFs (Score:2, Insightful)
Perhaps a simple timestamp/hash version could be included in the free OpenOffice, with a more advanced certificate based or user-ID authenticated option in StarOffice.
This would also be perfect for Adobe to offer for Acrobat PDF files.
If free and non-proprietary, it would quickly become a popular standard, and perhaps THE st
GPGNotary 1.0 (Score:2, Informative)
http://bokstavera2.sourceforge.net/GPGNotary-1_0.
(remove the space in the link).
What did you not get about "Java SDK" ? (Score:5, Insightful)
Just because the first sample implementation is in Word, doesn't imply there is some conspiracy. The USPS probably uses Word internally and wanted to make the sample usefull for them. With the JavaSDK you could use this in Linux, FreeBSD, hell even embedded applications.
Take off your tinfoil hat.
Re:What did you not get about "Java SDK" ? (Score:2)
Is congress advertising for Adobe because it has PDFs for download?
Is USPS advertising for Ford because it has it emblazened on the front of their trucks?
Answer: No, of course not, and you're only hemming and hawing because Microsoft is in the story somewhere. If the sample was using Ximian OpenOffice you wouldn't have said a word, even though it'd be "Advertising" for Ximian by your terms.
Re:Set A Standard, Aid a Convicted Monopolist. (Score:1)
When they say "any document" they mean documents created by any version of MS-Word (there is no other way to create documents, right?)...
Sheesh!
- Nate >>
P.S. If I had mod points I'd have un-modded the Troll modifier. Hopefully, I'll get to meta-mod this clown...
Re:So many links... (Score:1)