At 06:51 PM 7/2/2003 -0400, C. Wegrzyn wrote:
I don't know if everyone saw this announcement. It is interesting given
the recent conversation we have been having about trust
http://www.ribbs.usps.gov/files/fedreg/usps2003/03-15211.PDF
The USPS program simple provides a way for CAs to do in-person checking.
This is similar to what existing CAs offer by requiring some applications
to undergo an in-person process (for business mainly), See this quote:
---snip----
Numerous organizations have approached the U.S. Postal Service to conduct
In-Person Proofing (IPP) of customers nationwide for physically
authenticating an individual's identification at a post office before the
organization issues a digital signature certificate to the individual.
The following is a brief description of how IPP would work. An organization
can establish a relationship with a qualified U.S. Certificate Authority to
integrate digital signing with improved identity verification into an
online application. Any individual desiring to use digital certificates
that include USPS IPP will complete an application online. The online
system will verify the individual's identity via commercial data base
checking. The system will then produce a standard Postal Service form to be
printed out at the ''applicant's'' personal computer. The individual
requesting the service will present this form to a participating post
office where the ''In Person Proofing'' process is conducted. After
successful completion of the IPP event, the CA will notify the applicant to
download their digital certificate.
-----snip-----
HOWEVER, the following requirements worry me (EMPHASIS added):
----snip----
1. Use of a PATRIOT ACT COMPLIANT DATABASE VETTING PROCESS to gain initial
assurance of an applicant's identity before sending the applicant to the
Postal Office for IPP.
B. Maintaining a secure repository of IDVF forms,
C. Providing access to IDVF forms and customer account information as
necessary for investigative purposes by USPS Inspection Service and the
USPS Office of Inspector General,
D. Incorporating a new common object identifier (USPS registered OID) for
IPP based digital certificates.
----snip----
Centralized data storage of private information, easy access for government
agencies without a court order, Patriot ACT, new OID, etc. These things are
not needed in order to create such program, so why is the USPS insisting on
this?
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg