Good point...I didn't catch that.
Yakov Shafranovich wrote:
It was some small CA that used to do it. My concern is not with that,
but rather with USPS mandating free access without court order to this
data. And privacy issues.
At 07:52 PM 7/2/2003 -0400, C. Wegrzyn wrote:
I have yet to see Verisign or Thwate do any in-person stuff. Mostly
it is just a simple D&B check with a phone call. This would be more
reliable.
Chuck
Yakov Shafranovich wrote:
At 06:51 PM 7/2/2003 -0400, C. Wegrzyn wrote:
I don't know if everyone saw this announcement. It is interesting
given the recent conversation we have been having about trust
http://www.ribbs.usps.gov/files/fedreg/usps2003/03-15211.PDF
The USPS program simple provides a way for CAs to do in-person
checking. This is similar to what existing CAs offer by requiring
some applications to undergo an in-person process (for business
mainly), See this quote:
---snip----
Numerous organizations have approached the U.S. Postal Service to
conduct In-Person Proofing (IPP) of customers nationwide for
physically authenticating an individual's identification at a post
office before the organization issues a digital signature
certificate to the individual.
The following is a brief description of how IPP would work. An
organization can establish a relationship with a qualified U.S.
Certificate Authority to integrate digital signing with improved
identity verification into an online application. Any individual
desiring to use digital certificates that include USPS IPP will
complete an application online. The online system will verify the
individual's identity via commercial data base checking. The system
will then produce a standard Postal Service form to be printed out
at the ''applicant's'' personal computer. The individual requesting
the service will present this form to a participating post office
where the ''In Person Proofing'' process is conducted. After
successful completion of the IPP event, the CA will notify the
applicant to download their digital certificate.
-----snip-----
HOWEVER, the following requirements worry me (EMPHASIS added):
----snip----
1. Use of a PATRIOT ACT COMPLIANT DATABASE VETTING PROCESS to gain
initial assurance of an applicant's identity before sending the
applicant to the Postal Office for IPP.
B. Maintaining a secure repository of IDVF forms,
C. Providing access to IDVF forms and customer account information
as necessary for investigative purposes by USPS Inspection Service
and the USPS Office of Inspector General,
D. Incorporating a new common object identifier (USPS registered
OID) for IPP based digital certificates.
----snip----
Centralized data storage of private information, easy access for
government agencies without a court order, Patriot ACT, new OID,
etc. These things are not needed in order to create such program, so
why is the USPS insisting on this?
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg