The Macrosite for News, Analysis and Opinion about the Future of the Internet
Paul Doyle

USPS Plan Undercuts Time Stamp Security

Written by Paul Doyle
9/24/2008 5 comments
no ratings
1 saves
DISCUSS     Email This

As it looks to stake out and control strategic ground in national and international e-commerce, the U.S. Postal Service has set its sites on trusted time-stamping, which can be thought of as an electronic postmark. Unfortunately, the way it plans to certify licensees violates both common sense and the basic tenets of solid information security policy.

Why does the USPS think electronic postmarks (EPMs) are natural add-ons to its handling and delivery of physical mail? In its argument, the USPS points to assets like its size and trustworthiness, as well as its Postal Inspection Service unit for legitimacy and enforcement.

Opposing the USPS is an energetic, pugnacious entrepreneur named Rick Borgers, founder of a private, for-profit (which is a good thing) time-stamping company named Digistamp. Borgers has done a remarkable job of mounting his own one-man, one-company opposition.

Also opposing the USPS is the bulk of the commercial time-stamping industry, as represented by the Information Assurance Consortium. Plus, there's a congressional mandate that the USPS cease all non-postal services; Congress authorized the Postal Regulatory Commission to ensure USPS compliance with this mandate.

There are several problems here. First there is the fact that the USPS currently has no technical experts or resident expertise in the technology of trusted time-stamping. They may have had this at one time, but it was more than seven years ago, and the expertise then present was acquired while the USPS was in the process of building a Certificate Authority (Public Key Infrastructure, or PKI). The program was eventually abandoned.

Many consider it to have been a complete waste that squandered millions in taxpayer money. The idea had been that the USPS was going to be a certificate authority and issue identity credentials and time stamps among other things. This was its first foray; the second came in 2001 when it decided to outsource the time stamping technology piece to a single, third-party licensee, a company named Authentidate. Under that plan, the USPS would focus on monetizing the USPS EPM brand.

How well did this work commercially? In 2007 the USPS generated $135,000 in revenues from EPM, down from $225,000 in 2006, according to page 11 of the revenue report. My guess is it spent more money on legal fees negotiating the license terms with the licensee than it generated in revenues.

Now, the USPS is trying a third business model: licensing multiple parties, similar to the way it's successfully changed the way it sells postage. While this may seem closer to being on the right track, the devil is in the details… details like making sure it is secure and warrants the trust the USPS so boldly asserts. While there are published standards that address the security of trusted time-stamping systems, the USPS unfortunately has chosen to ignore the American National Standard, X9.95-2005, or even the IETF technical protocol, RFC 3161.

Instead, the USPS got together with its fellow international postal organizations to create their own standard. Does this standard included criteria for audit and certification? No. Does the USPS EPM program included a defined accreditation or certification process for licensees? No. Instead the USPS has decided to let licensees self-certify. Really! Don't laugh. It's built the current model around self-certification.

We in the information security world recognize this as being conceptually equivalent to allowing kids taking the SAT or ACT to grade their own exams. Consider the implications of this. The failure of a USPS EPM due to sloppy management of the signing keys involved (via PKI) by the licensees, for example, could send shockwaves through the market and destroy the very trust of trusted timestamps. The failure of one USPS licensee could poison the market for all legitimate, non-USPS time stamping vendors.

Let us take lessons from the past. Arthur Andersen was once among the most trusted names in business. This was prior to Enron. Thanks to Arthur Andersen and Enron, we all know what happens when trust is betrayed. We cannot afford, and should not permit, poor governance models and weak administration to set us up again for a systemic failure -- especially when it involves a quasi-governmental agency that is immune from lawsuits or private rights of action.

Some may say that the existence of the Postal Inspection Service would mitigate against any violation or impropriety. And it might, if the USPS actually intended to use it. When asked if the Postal Inspection Service would stand behind the EPMs, including providing expert testimony on behalf of a customer in the event of a legal or regulatory dispute, the simple and telling answer was, "No."

If the USPS wants to be involved in the overall market for trusted time stamps, it should be for valid reasons, not just because of its size… or because it's in danger of becoming less relevant to the broader market. The idea of the Postal Regulatory Commission allowing the USPS to continue as it is or even expanding its authorization is simply nuts, in my opinion. If and when a failure occurs, my bet is that someone is indeed going to go postal.

— Paul Doyle, independent consultant and co-founder of the Information Assurance Consortium

This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts.
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
dlavie
IQ Crew
Wednesday October 1, 2008 12:57:01 AM

There isn't a conflict of interest because the USPS is not delivering your email.

The cancellation postmark on a letter isn't a legal standard.  A lot of organizations use the "postmarked by..." phrase but again it's not a legal standard.  The USPS date stamps physical mail for it's own measurement.  By postal procedures it has to be post marked for the day that is collected.

I think if we are headed to the "electronic postmark" it will have to be a corporate/government partnership.  Having watched corporate greed and government ineptitude take down the finacial world this last week, I wonder if we are better off just winging it without a standard.

Dave

Paul Doyle
Thinkernetter
Tuesday September 30, 2008 12:58:37 PM
no ratings

Hi Root Maniac,

You are right about there being conflicts of interest, some definite and some potential.  If the USPS remains in this space and does not adopt the American National Standard X9.95, then perhaps they and their licensees would be able to decide what time it is...or more importantly what time they want it to be.  The X9.95 standard resolves this problem by requiring a calibration to the national time authority, which in the US is NIST...the National Institute of Standards & Technology.  Our civilian national time authority is the time synchronization lab run by Dr. Judah Levin out of Boulder, Colorado.  Quick trivia, we have a second national time authority in the US and it is the U.S. Naval Observatory.

As for your level of being informed on this subject, I would encourage you and all netizens to dig in deeper.  This is important stuff.  True, secure and trusted time is critical to comprehensive security system design and implementation.

Thanks for the post.

--Paul

Root Maniac
IQ Crew
Thursday September 25, 2008 4:31:14 PM
no ratings
Isn't there a conflict of interest if the same agency charged with delivering materials within specific timeframes, is also the authority that determines the timestamps that are used to measure its compliance? I'll admit I'm not too informed on this issue, but that's the first thing I thought of. It seems to me that a an industry-government consortium should establish an accepted standard, and license the technology to companies with the required expertise to implement it.
Paul Doyle
Thinkernetter
Thursday September 25, 2008 9:08:04 AM
no ratings

Hi Dave,

Thanks for the...post.  ;-)

So, just curious, if the money the USPS has expended without producing something of appropriate commercial or social value is not tax payer money...then whose money is it?  The Post Master General?  

And where does the postage revenue come from?  Why, it is from the people who communicate through physical mail...both senders and receivers.  Yes, I include receivers because those of us who have a snail mail address end up receiving all kinds of junk through the distribution system that the postal service represents.  We receive the junk mail along with the meaningful mail...the stuff we want and/or need with the stuff we don't.  We have to take it and we don't get a choice.  We can not simply "opt out" as we often can do when working via the Internet/WWW.  Therefore, we who receive are as important a part of the postage revenue system as those who buy the postage.  We all pay in one way or another.

Your clarification is valid.  Thank you.  Perhaps I should have written "public money" instead.

My point in my blog was not so much about the dollars, but instead the appropriateness of the activity, the value it represents, and the responsibility to do it 'right' in a technically sound, secure way.  The trust the USPS has accrued was built in an entirely different paradigm.  This trust, by itself, is no guarantee or assurance that they will get it right in the Internet paradigm.  Further, there is the issue of whether they should be doing it at all.  They are, after all, competing with private enterprises.  WHY?

Should government become an infosec vendor?  Maybe next we can look for a line of encryption poducts being sold by the NSA?  Or home network security products branded by the FBI?  Hmmm...maybe we have our answer to funding the Wall St. bailout.  Remember, you saw it here first.

Thanks for the feedback.  Keep it coming.

--Paul

dlavie
IQ Crew
Thursday September 25, 2008 3:23:47 AM
no ratings

The USPS has been off the federal budget for quite some time now, 1970?

>Many consider it to have been a complete waste that squandered millions in taxpayer money<

They squandered revenue from postage sales.

I agree with the USPS not being the time stamp if they don't intend to back it up.

Dave (who works for the USPS)

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Paul Doyle
Paul Doyle
Paul Doyle   8/27/2008   21 comments
Nobody knows you're a dog on the Internet, right? Establishing identity is a big deal and a big challenge when the parties with whom one is interacting reside on the other side of a network, especially this big anonymous network known as the Internet.
Paul Doyle
Paul Doyle   8/12/2008   15 comments
We in the security game consider many if not all the adversaries we face to be criminals deserving to be ensconced behind bars wearing striped suits. But, is the next significant adversary we should be prepared to face as a CSO, CISO, or infosec professional already wearing stripes? Not the stripes we metaphorically associate with convicts behind bars but rather the pinstripes of a custom tailored suit adorning an Ivy League-educated, $500+-per-hour attorney? What is the connection? The answer is three letters: ESI (electronically stored information).
Paul Doyle
Paul Doyle   8/4/2008   6 comments
It's not such a big leap from Terry Childs to Erik Prince, when you consider what happens when lots of centralized power gets abused and, in the case of Prince, involves big bucks.
Paul Doyle
IETV: the thinkerNet on film
5
of
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   No comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   5/21/2013   Post a comment
Sometimes business travel can be a royal pain in the you-know-what, and sometimes all things go well with the planes, trains, and automobiles.
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
Intel's Haswell On-Die GPU Is Lean, Powerful & Built for Cloud
Jason Mick
Whether you’re an engineering firm that uses CAD for parts design, or an e-business that leverages Photoshop for user-interface graphics, you likely require a modest graphics-processing unit. In the old days, this was a daunting hurdle to innovation, but today, the situation has improved thanks to technologies like NVIDIA’s GRID and Microsoft’s RemoteFX. Such virtualized graphics protocols allow you to load-balance graphics-intensive workloads from virtual desktops on a server-side graphics card.
CLICK FOR MORE
MOOCs Gain Momentum & College Credits
Maria Korolov
In the fall of 2011, around 160,000 students in 190 countries enrolled in a Stanford-sponsored online course about artificial intelligence. About 23,000 completed the course and got certificates, including 248 who got a perfect score. The university offered the same course the old-fashioned way to students sitting in Stanford classrooms. None of the those students got a perfect score.
CLICK FOR MORE
Smartphone Influx Stresses IT Help Desks
Paul Korzeniowski
The smartphone market reached a significant milestone, a breakthrough that may cause vendors to celebrate but could strain the capabilities of IT service desks.
CLICK FOR MORE
Smartphone Influx Stresses IT Help Desks
Paul Korzeniowski
The smartphone market reached a significant milestone, a breakthrough that may cause vendors to celebrate but could strain the capabilities of IT service desks.
CLICK FOR MORE
Great Wall Protections Part of China's Next-Gen Internet
George Taylor
Has China stolen a march on the West, developing an Internet architecture that is not only based on IPv6, but is also inherently secure from both internal and external attack?
CLICK FOR MORE
Yahoo Needs to Break Tumblr in Order to Fix It
Joe Stanganelli
As Mitch Wagner discussed today, Yahoo is acquiring Tumblr. The big Internet debate at the moment is whether Tumblr will be good or bad for Yahoo. Regardless of their stances on the future of Yahoo itself, many claim that Yahoo will somehow ruin Tumblr.
CLICK FOR MORE