THE CUTTING EDGE: COMPUTING / TECHNOLOGY / INNOVATION : Can the Postal Service Be the Guarantor of Honesty on the Internet?
Like many cyberspace denizens, I avoid the Postal Service at all costs, limiting my interactions with this hoary institution to the uncomplaining receipt of its daily load of junk and bills. Wherever possible, I send messages by telephone, electronic mail or fax.
In the not-so-distant future, though, people like me may find ourselves using the Postal Service on a much more regular basis. That’s because of a Postal Service plan to establish a digital certification authority enabling Internet users to receive--and send--e-mail that absolutely, positively comes from the person who claims to have sent it, and probably hasn’t been changed en route. The Postal Service also plans to offer electronic postmarking, so senders and recipients of e-mail can have ironclad evidence of the precise date and time of any message.
The Postal Service plan is a welcome sign of life from an agency whose ineptitude is sometimes credited with helping to spur the communications revolution now under way. Yet it’s unclear whether the sprawling postal bureaucracy is ready for any direct role in the digital future, and its approach is hardly entrepreneurial. Postal officials with whom I spoke seemed almost deferential in the face of competition, and in fact the Postal Service isn’t the only one with a digital authentication plan.
VeriSign Inc., a Silicon Valley spinoff of RSA Data Security Inc., already offers a service for authenticating Internet identities in a function akin to that of a notary. (RSA is the licensing company formed by the MIT professors who pioneered dual-key encryption.) The Postal Service hopes, sometime next year, to make a similar authentication service available to the virtual masses.
Postal digital certification would be based on the dual-key concept, which is the basis of PGP, or Pretty Good Privacy, the free encryption software widely available in cyberspace and described here in an earlier column. Among other things, PGP permits users to sign an electronic message with a private digital “key.” This signature can be unlocked only by the corresponding public key. Thus, I can sign a piece of e-mail with my private key and send it to someone who can use my public key to make certain that the message is from me and that it hasn’t been altered since it was signed.
But can the recipient really be so sure? How does someone receiving such a message know that a con artist posing as me hasn’t put out a bogus public key, one that corresponds to his private key rather than mine? Or what if my public key, which you’re retrieving from some far-flung location on the Internet, is tampered with en route to your computer?
“Right now there is no way to figure out if messages on the Internet have been tampered with, nor is there any way to authenticate the genuine identity of a sender,” said Paul Raines, who manages the Postal Service’s electronic commerce efforts. “It could be a dog on the other end of the Internet now for all you know.”
Enter the Postal Service. The idea is to set up a system in which I could go down to the local post office, pay a few dollars, present some solid identification and hand over a disk containing my public key. The Postal Service, having seen proof that I’m me, can then incorporate my public key into an electronic “certificate” affirming the key’s validity.
This certificate would contain not just my public key but some other information, such as when the certificate expires, and would be signed by the Postal Service’s private key. The certificate would be added to the service’s official certificate server, so that anyone could obtain it by e-mail or via the World Wide Web for a small fee.
From then on, someone who gets a message signed with my private key can check its validity using my public key, knowing that because the public key came from the Postal Service it is either pristine or would reveal any tampering.
The Postal Service has several things going for it in this venture.
* Ubiquity. America’s 40,000 post offices make the Postal Service ideal for physical identification of those presenting public keys. (The only danger is that by the time you get to the front of the line, you’ve got a beard that isn’t shown in your driver’s license photo.)
* Legality. The agency says that using a Postal Service electronic authentication certificate for fraudulent purposes would be a clear-cut federal offense.
* Credibility. Stop snickering. The Postal Service dates back to Benjamin Franklin, after all, and we still entrust it with checks and other important material despite the piles of old mail that occasionally turn up under a bridge. The Postal Service is ideally suited to serve as an objective third party.
The agency’s stated goal in all this is to carry out its mission, which Raines said is “to bind the nation together through the correspondence of its people,” in an age when this correspondence is increasingly electronic.
Personally, I think the Postal Service could be doing more. For instance, local free-nets have sprung up in a number of American cities, including Los Angeles, to offer e-mail and limited Internet access at little or no charge. Why shouldn’t the Postal Service find a way to extend this concept all over the country? The glut of surplus 286 and other “obsolete” computers would be more than up to this task. Or perhaps the agency could rent people e-mail boxes, the way it now rents postal boxes. And how about leasing to the public no-frills fax machines, at cost, for residential use?
But I suppose the Postal Service has to walk before it runs. I’m just glad it’s moving at all.
*
Daniel Akst welcomes messages at akstd@news.latimes.com
(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)
Local Listings
Last week’s column on using the Internet for practical things like finding phone numbers struck a chord in many readers, but Yigal Arens of USC’s Information Sciences Institute found something I overlooked: “While you note that phone books for Switzerland and France are available on the Net, you forgot phone listings for California! Try https://phone.itis.com.” Sure enough, it works beautifully, proving once again that nobody knows more than my readers.
