I have yet to see Verisign or Thwate do any in-person stuff. Mostly it
is just a simple D&B check with a phone call. This would be more reliable.
Chuck
Yakov Shafranovich wrote:
At 06:51 PM 7/2/2003 -0400, C. Wegrzyn wrote:
I don't know if everyone saw this announcement. It is interesting
given the recent conversation we have been having about trust
http://www.ribbs.usps.gov/files/fedreg/usps2003/03-15211.PDF
The USPS program simple provides a way for CAs to do in-person
checking. This is similar to what existing CAs offer by requiring some
applications to undergo an in-person process (for business mainly),
See this quote:
---snip----
Numerous organizations have approached the U.S. Postal Service to
conduct In-Person Proofing (IPP) of customers nationwide for
physically authenticating an individual's identification at a post
office before the organization issues a digital signature certificate
to the individual.
The following is a brief description of how IPP would work. An
organization can establish a relationship with a qualified U.S.
Certificate Authority to integrate digital signing with improved
identity verification into an online application. Any individual
desiring to use digital certificates that include USPS IPP will
complete an application online. The online system will verify the
individual's identity via commercial data base checking. The system
will then produce a standard Postal Service form to be printed out at
the ''applicant's'' personal computer. The individual requesting the
service will present this form to a participating post office where
the ''In Person Proofing'' process is conducted. After successful
completion of the IPP event, the CA will notify the applicant to
download their digital certificate.
-----snip-----
HOWEVER, the following requirements worry me (EMPHASIS added):
----snip----
1. Use of a PATRIOT ACT COMPLIANT DATABASE VETTING PROCESS to gain
initial assurance of an applicant's identity before sending the
applicant to the Postal Office for IPP.
B. Maintaining a secure repository of IDVF forms,
C. Providing access to IDVF forms and customer account information as
necessary for investigative purposes by USPS Inspection Service and
the USPS Office of Inspector General,
D. Incorporating a new common object identifier (USPS registered OID)
for IPP based digital certificates.
----snip----
Centralized data storage of private information, easy access for
government agencies without a court order, Patriot ACT, new OID, etc.
These things are not needed in order to create such program, so why is
the USPS insisting on this?
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg