The Macrosite for News, Analysis and Opinion about the Future of the Internet
Paul Doyle

USPS Plan Undercuts Time Stamp Security

Written by Paul Doyle
9/24/2008 5 comments
no ratings
1 saves
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

As it looks to stake out and control strategic ground in national and international e-commerce, the U.S. Postal Service has set its sites on trusted time-stamping, which can be thought of as an electronic postmark. Unfortunately, the way it plans to certify licensees violates both common sense and the basic tenets of solid information security policy.

Why does the USPS think electronic postmarks (EPMs) are natural add-ons to its handling and delivery of physical mail? In its argument, the USPS points to assets like its size and trustworthiness, as well as its Postal Inspection Service unit for legitimacy and enforcement.

Opposing the USPS is an energetic, pugnacious entrepreneur named Rick Borgers, founder of a private, for-profit (which is a good thing) time-stamping company named Digistamp. Borgers has done a remarkable job of mounting his own one-man, one-company opposition.

Also opposing the USPS is the bulk of the commercial time-stamping industry, as represented by the Information Assurance Consortium. Plus, there's a congressional mandate that the USPS cease all non-postal services; Congress authorized the Postal Regulatory Commission to ensure USPS compliance with this mandate.

There are several problems here. First there is the fact that the USPS currently has no technical experts or resident expertise in the technology of trusted time-stamping. They may have had this at one time, but it was more than seven years ago, and the expertise then present was acquired while the USPS was in the process of building a Certificate Authority (Public Key Infrastructure, or PKI). The program was eventually abandoned.

Many consider it to have been a complete waste that squandered millions in taxpayer money. The idea had been that the USPS was going to be a certificate authority and issue identity credentials and time stamps among other things. This was its first foray; the second came in 2001 when it decided to outsource the time stamping technology piece to a single, third-party licensee, a company named Authentidate. Under that plan, the USPS would focus on monetizing the USPS EPM brand.

How well did this work commercially? In 2007 the USPS generated $135,000 in revenues from EPM, down from $225,000 in 2006, according to page 11 of the revenue report. My guess is it spent more money on legal fees negotiating the license terms with the licensee than it generated in revenues.

Now, the USPS is trying a third business model: licensing multiple parties, similar to the way it's successfully changed the way it sells postage. While this may seem closer to being on the right track, the devil is in the details… details like making sure it is secure and warrants the trust the USPS so boldly asserts. While there are published standards that address the security of trusted time-stamping systems, the USPS unfortunately has chosen to ignore the American National Standard, X9.95-2005, or even the IETF technical protocol, RFC 3161.

Instead, the USPS got together with its fellow international postal organizations to create their own standard. Does this standard included criteria for audit and certification? No. Does the USPS EPM program included a defined accreditation or certification process for licensees? No. Instead the USPS has decided to let licensees self-certify. Really! Don't laugh. It's built the current model around self-certification.

We in the information security world recognize this as being conceptually equivalent to allowing kids taking the SAT or ACT to grade their own exams. Consider the implications of this. The failure of a USPS EPM due to sloppy management of the signing keys involved (via PKI) by the licensees, for example, could send shockwaves through the market and destroy the very trust of trusted timestamps. The failure of one USPS licensee could poison the market for all legitimate, non-USPS time stamping vendors.

Let us take lessons from the past. Arthur Andersen was once among the most trusted names in business. This was prior to Enron. Thanks to Arthur Andersen and Enron, we all know what happens when trust is betrayed. We cannot afford, and should not permit, poor governance models and weak administration to set us up again for a systemic failure -- especially when it involves a quasi-governmental agency that is immune from lawsuits or private rights of action.

Some may say that the existence of the Postal Inspection Service would mitigate against any violation or impropriety. And it might, if the USPS actually intended to use it. When asked if the Postal Inspection Service would stand behind the EPMs, including providing expert testimony on behalf of a customer in the event of a legal or regulatory dispute, the simple and telling answer was, "No."

If the USPS wants to be involved in the overall market for trusted time stamps, it should be for valid reasons, not just because of its size… or because it's in danger of becoming less relevant to the broader market. The idea of the Postal Regulatory Commission allowing the USPS to continue as it is or even expanding its authorization is simply nuts, in my opinion. If and when a failure occurs, my bet is that someone is indeed going to go postal.

— Paul Doyle, independent consultant and co-founder of the Information Assurance Consortium

This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts.
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
dlavie
IQ Crew
Wednesday October 1, 2008 12:57:01 AM

There isn't a conflict of interest because the USPS is not delivering your email.

The cancellation postmark on a letter isn't a legal standard.  A lot of organizations use the "postmarked by..." phrase but again it's not a legal standard.  The USPS date stamps physical mail for it's own measurement.  By postal procedures it has to be post marked for the day that is collected.

I think if we are headed to the "electronic postmark" it will have to be a corporate/government partnership.  Having watched corporate greed and government ineptitude take down the finacial world this last week, I wonder if we are better off just winging it without a standard.

Dave

Paul Doyle
Thinkernetter
Tuesday September 30, 2008 12:58:37 PM
no ratings

Hi Root Maniac,

You are right about there being conflicts of interest, some definite and some potential.  If the USPS remains in this space and does not adopt the American National Standard X9.95, then perhaps they and their licensees would be able to decide what time it is...or more importantly what time they want it to be.  The X9.95 standard resolves this problem by requiring a calibration to the national time authority, which in the US is NIST...the National Institute of Standards & Technology.  Our civilian national time authority is the time synchronization lab run by Dr. Judah Levin out of Boulder, Colorado.  Quick trivia, we have a second national time authority in the US and it is the U.S. Naval Observatory.

As for your level of being informed on this subject, I would encourage you and all netizens to dig in deeper.  This is important stuff.  True, secure and trusted time is critical to comprehensive security system design and implementation.

Thanks for the post.

--Paul

Root Maniac
IQ Crew
Thursday September 25, 2008 4:31:14 PM
no ratings
Isn't there a conflict of interest if the same agency charged with delivering materials within specific timeframes, is also the authority that determines the timestamps that are used to measure its compliance? I'll admit I'm not too informed on this issue, but that's the first thing I thought of. It seems to me that a an industry-government consortium should establish an accepted standard, and license the technology to companies with the required expertise to implement it.
Paul Doyle
Thinkernetter
Thursday September 25, 2008 9:08:04 AM
no ratings

Hi Dave,

Thanks for the...post.  ;-)

So, just curious, if the money the USPS has expended without producing something of appropriate commercial or social value is not tax payer money...then whose money is it?  The Post Master General?  

And where does the postage revenue come from?  Why, it is from the people who communicate through physical mail...both senders and receivers.  Yes, I include receivers because those of us who have a snail mail address end up receiving all kinds of junk through the distribution system that the postal service represents.  We receive the junk mail along with the meaningful mail...the stuff we want and/or need with the stuff we don't.  We have to take it and we don't get a choice.  We can not simply "opt out" as we often can do when working via the Internet/WWW.  Therefore, we who receive are as important a part of the postage revenue system as those who buy the postage.  We all pay in one way or another.

Your clarification is valid.  Thank you.  Perhaps I should have written "public money" instead.

My point in my blog was not so much about the dollars, but instead the appropriateness of the activity, the value it represents, and the responsibility to do it 'right' in a technically sound, secure way.  The trust the USPS has accrued was built in an entirely different paradigm.  This trust, by itself, is no guarantee or assurance that they will get it right in the Internet paradigm.  Further, there is the issue of whether they should be doing it at all.  They are, after all, competing with private enterprises.  WHY?

Should government become an infosec vendor?  Maybe next we can look for a line of encryption poducts being sold by the NSA?  Or home network security products branded by the FBI?  Hmmm...maybe we have our answer to funding the Wall St. bailout.  Remember, you saw it here first.

Thanks for the feedback.  Keep it coming.

--Paul

dlavie
IQ Crew
Thursday September 25, 2008 3:23:47 AM
no ratings

The USPS has been off the federal budget for quite some time now, 1970?

>Many consider it to have been a complete waste that squandered millions in taxpayer money<

They squandered revenue from postage sales.

I agree with the USPS not being the time stamp if they don't intend to back it up.

Dave (who works for the USPS)

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Paul Doyle
Paul Doyle
Paul Doyle   8/27/2008   21 comments
Nobody knows you're a dog on the Internet, right? Establishing identity is a big deal and a big challenge when the parties with whom one is interacting reside on the other side of a network, especially this big anonymous network known as the Internet.
Paul Doyle
Paul Doyle   8/12/2008   15 comments
We in the security game consider many if not all the adversaries we face to be criminals deserving to be ensconced behind bars wearing striped suits. But, is the next significant adversary we should be prepared to face as a CSO, CISO, or infosec professional already wearing stripes? Not the stripes we metaphorically associate with convicts behind bars but rather the pinstripes of a custom tailored suit adorning an Ivy League-educated, $500+-per-hour attorney? What is the connection? The answer is three letters: ESI (electronically stored information).
Paul Doyle
Paul Doyle   8/4/2008   6 comments
It's not such a big leap from Terry Childs to Erik Prince, when you consider what happens when lots of centralized power gets abused and, in the case of Prince, involves big bucks.
Paul Doyle
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Dec 1st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   11/20/2009   Post a comment
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year?  Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Copyright © 2009 United Business Media Limited - All rights reserved.      About Us  |  Privacy Policy and Terms of Use  |  Contact Us
CMP Media LLC
Internet Evolution – not for thickies
To Cloud or Not to Cloud: IT Vendors Ponder the Question
Gordon Haff
Arms merchant or army? That's a fundamental question for vendors in the cloud computing space. Do they just sell their tooling to any and all comers, who then become the actual purveyors of hosted infrastructure, developer platforms, and software? Or do they offer their own cloud-based services, perhaps even keeping much of their technology in-house for competitive advantage?
CLICK FOR MORE
Groups Join Fight to Keep Big Brother Offline
Don Reisinger
Much has been made over the possibility of the U.S. government spying on Web users. There is a fear that through advanced technology, loopholes in federal regulations, and sheer gall, government officials will engage in acts that put the U.S. citizenry at risk. But whether or not the government is actually engaging in any activities online that puts its intentions into question is up for debate.
CLICK FOR MORE
Banks Cooperate for Better Risk Analytics
Mary E. Shacklett
With the value of toxic assets on the rise, large U.S. and European banks face many challenges on the road to recovery. Sharing key information may help these firms effectively track the way forward.
CLICK FOR MORE
How to Score, Not Bore, With Web Newsletter Graphics
Dan Cypra
A picture is worth a thousand words, or so the old saying goes. So understanding how to use images in e-newsletters effectively is quite important. Here are a few tips to ensure that your images in email newsletters work to your advantage.
CLICK FOR MORE
what.the.ferraro
Facebook Lacks Social Skills
11|20|09   |   1:53   |   1 comment

Facebook's 'Suggestions' for users demonstrate how little social networking sites understand about true social relationships.
Singer at C-Level
Smart Grid Opportunities
11|20|09   |   2:49   |   No comments

Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
Tom Nolle
Total Telephony Transcends Telepresence
11|20|09   |   2:11   |   2 comments

The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
what.the.ferraro
ThinkerNet Wins Min's Award for Best Blogs!
11|19|09   |   1:13   |   4 comments

ThinkerNet wins the Min's award for 'Best Blogs' – Internet Evolution's fifth award this year!
Full Nelson
SanFran.gov
11|19|09   |   8:51   |   No comments

Fritz has an exclusive talk with the mayor and CTO of San Francisco about that city's latest e-government efforts.
Robert D. Atkinson
America Has Much to Learn About Digital Piracy
11|18|09   |   2:09   |   No comments

The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Singer at C-Level
Connecting Stakeholders: Part 3
Part 3 of 3   |   See complete series
11|18|09   |   2:09   |   No comments

Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
what.the.ferraro
Dogster.com More Popular Than Gov 2.0
11|17|09   |   2:05   |   1 comment

A lot of attention is being paid to launching Gov 2.0 Websites, but these sites aren't attracting a lot of visitors.
Reiter's Block
Is the BlackBerry 9700 'Bold' Enough?
11|17|09   |   3:07   |   4 comments

The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
TechWeb The Global Leader In Technology Media