As it looks to stake out and control strategic ground in national and international e-commerce, the U.S. Postal Service has set its sites on trusted time-stamping, which can be thought of as an electronic postmark. Unfortunately, the way it plans to certify licensees violates both common sense and the basic tenets of solid information security policy.
Why does the USPS think electronic postmarks (EPMs) are natural add-ons to its handling and delivery of physical mail? In its argument, the USPS points to assets like its size and trustworthiness, as well as its Postal Inspection Service unit for legitimacy and enforcement.
Opposing the USPS is an energetic, pugnacious entrepreneur named Rick Borgers, founder of a private, for-profit (which is a good thing) time-stamping company named Digistamp. Borgers has done a remarkable job of mounting his own one-man, one-company opposition.
Also opposing the USPS is the bulk of the commercial time-stamping industry, as represented by the Information Assurance Consortium. Plus, there's a congressional mandate that the USPS cease all non-postal services; Congress authorized the Postal Regulatory Commission to ensure USPS compliance with this mandate.
There are several problems here. First there is the fact that the USPS currently has no technical experts or resident expertise in the technology of trusted time-stamping. They may have had this at one time, but it was more than seven years ago, and the expertise then present was acquired while the USPS was in the process of building a Certificate Authority (Public Key Infrastructure, or PKI). The program was eventually abandoned.
Many consider it to have been a complete waste that squandered millions in taxpayer money. The idea had been that the USPS was going to be a certificate authority and issue identity credentials and time stamps among other things. This was its first foray; the second came in 2001 when it decided to outsource the time stamping technology piece to a single, third-party licensee, a company named Authentidate. Under that plan, the USPS would focus on monetizing the USPS EPM brand.
How well did this work commercially? In 2007 the USPS generated $135,000 in revenues from EPM, down from $225,000 in 2006, according to page 11 of the revenue report. My guess is it spent more money on legal fees negotiating the license terms with the licensee than it generated in revenues.
Now, the USPS is trying a third business model: licensing multiple parties, similar to the way it's successfully changed the way it sells postage. While this may seem closer to being on the right track, the devil is in the details… details like making sure it is secure and warrants the trust the USPS so boldly asserts. While there are published standards that address the security of trusted time-stamping systems, the USPS unfortunately has chosen to ignore the American National Standard, X9.95-2005, or even the IETF technical protocol, RFC 3161.
Instead, the USPS got together with its fellow international postal organizations to create their own standard. Does this standard included criteria for audit and certification? No. Does the USPS EPM program included a defined accreditation or certification process for licensees? No. Instead the USPS has decided to let licensees self-certify. Really! Don't laugh. It's built the current model around self-certification.
We in the information security world recognize this as being conceptually equivalent to allowing kids taking the SAT or ACT to grade their own exams. Consider the implications of this. The failure of a USPS EPM due to sloppy management of the signing keys involved (via PKI) by the licensees, for example, could send shockwaves through the market and destroy the very trust of trusted timestamps. The failure of one USPS licensee could poison the market for all legitimate, non-USPS time stamping vendors.
Let us take lessons from the past. Arthur Andersen was once among the most trusted names in business. This was prior to Enron. Thanks to Arthur Andersen and Enron, we all know what happens when trust is betrayed. We cannot afford, and should not permit, poor governance models and weak administration to set us up again for a systemic failure -- especially when it involves a quasi-governmental agency that is immune from lawsuits or private rights of action.
Some may say that the existence of the Postal Inspection Service would mitigate against any violation or impropriety. And it might, if the USPS actually intended to use it. When asked if the Postal Inspection Service would stand behind the EPMs, including providing expert testimony on behalf of a customer in the event of a legal or regulatory dispute, the simple and telling answer was, "No."
If the USPS wants to be involved in the overall market for trusted time stamps, it should be for valid reasons, not just because of its size… or because it's in danger of becoming less relevant to the broader market. The idea of the Postal Regulatory Commission allowing the USPS to continue as it is or even expanding its authorization is simply nuts, in my opinion. If and when a failure occurs, my bet is that someone is indeed going to go postal.
— Paul Doyle, independent consultant and co-founder of the Information Assurance Consortium
This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts.