It was some small CA that used to do it. My concern is not with that, but
rather with USPS mandating free access without court order to this data.
And privacy issues.
At 07:52 PM 7/2/2003 -0400, C. Wegrzyn wrote:
I have yet to see Verisign or Thwate do any in-person stuff. Mostly it is
just a simple D&B check with a phone call. This would be more reliable.
Chuck
Yakov Shafranovich wrote:
At 06:51 PM 7/2/2003 -0400, C. Wegrzyn wrote:
I don't know if everyone saw this announcement. It is interesting given
the recent conversation we have been having about trust
http://www.ribbs.usps.gov/files/fedreg/usps2003/03-15211.PDF
The USPS program simple provides a way for CAs to do in-person checking.
This is similar to what existing CAs offer by requiring some applications
to undergo an in-person process (for business mainly), See this quote:
---snip----
Numerous organizations have approached the U.S. Postal Service to conduct
In-Person Proofing (IPP) of customers nationwide for physically
authenticating an individual's identification at a post office before the
organization issues a digital signature certificate to the individual.
The following is a brief description of how IPP would work. An
organization can establish a relationship with a qualified U.S.
Certificate Authority to integrate digital signing with improved identity
verification into an online application. Any individual desiring to use
digital certificates that include USPS IPP will complete an application
online. The online system will verify the individual's identity via
commercial data base checking. The system will then produce a standard
Postal Service form to be printed out at the ''applicant's'' personal
computer. The individual requesting the service will present this form to
a participating post office where the ''In Person Proofing'' process is
conducted. After successful completion of the IPP event, the CA will
notify the applicant to download their digital certificate.
-----snip-----
HOWEVER, the following requirements worry me (EMPHASIS added):
----snip----
1. Use of a PATRIOT ACT COMPLIANT DATABASE VETTING PROCESS to gain
initial assurance of an applicant's identity before sending the applicant
to the Postal Office for IPP.
B. Maintaining a secure repository of IDVF forms,
C. Providing access to IDVF forms and customer account information as
necessary for investigative purposes by USPS Inspection Service and the
USPS Office of Inspector General,
D. Incorporating a new common object identifier (USPS registered OID) for
IPP based digital certificates.
----snip----
Centralized data storage of private information, easy access for
government agencies without a court order, Patriot ACT, new OID, etc.
These things are not needed in order to create such program, so why is
the USPS insisting on this?
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg