Postal Service validates digital certificates with face-to-face confirmationsBY WILLIAM JACKSON
| GCN STAFF
The Postal Service will offer an extra, in-person validation service for the digital certificates it issues.
USPS is providing its NetPost.Certified digital certificates online to the Social Security Administration, whose neighbor, the Health Care Financing Administration, is the first customer to call for the second layer of security.
'Identity verification is the weak link in digital certificates now,' said Stephen M. Kearney, USPS senior vice president for corporate and business development.
HCFA users who receive digital certificates must go to a local post office to have their identities confirmed in person.
The service soon will be available to any USPS digital certificate customer. 'This will be driven by customer demand,' Kearney said.
A digital certificate is an electronic identifier issued by a trusted authority, in this case the Postal Service, for making online transactions. The certificate can be stored on a hard drive, a floppy disk, a smart card or another device. It can be used for encryption or decryption and to verify the sender and recipient of documents by comparing their certificates against information held by the issuing authority.
NetPost.Certified, introduced earlier this year [GCN, Jan. 22, Page 5
] uses Postal Service certificates to secure and authenticate electronic correspondence between participating government agencies.Tighter security
The Secure Sockets Layer connections in most Web browsers encrypt messages only during transmission. In contrast, messages sent via NetPost.Certified remain encrypted until recipients decrypt them, which generates electronic delivery verification.
HCFA's Dennis Stricker says VISION users will enroll online, then go to a nearby post office to confirm their identity for digital certificates.
HCFA is using the in-person service for its Vital Information System for Improved Outcome and Nephrology. VISION lets renal dialysis centers report information electronically.
Nearly all the nation's 3,900 dialysis centers for end-stage renal disease now send information to HCFA on paper. In the initial VISION pilot, a few centers have been submitting data over a secure extranet, said Dennis Stricker, information systems group director in HCFA's Office of Clinical Standards and Quality.
About 45 sites on the East Coast are using NetPost.Certified to submit information securely over the Internet.
The degree of security depends in part on the stringency of the identification process when digital certificates are issued. For the VISION program, the Postal Service will use 1,400 post offices that already verify identities of people applying for passports.
VISION users will enroll with the Postal Service online and then receive a form in the mail that gives the location of the nearest of 46 participating post offices.Double confirmation
VISION users must bring the form and two types of identification'a photo ID and a document verifying address, such as a bill or mortgage statement'to the post office.
A postal employee will verify the information, and the users will receive e-mail notification when their digital certificates are ready for downloading from a Postal Service Web site. VISION certificates will be stored on a smart card.
Stricker said HCFA hopes to move VISION to full production by the end of the year. He said the Postal Service can enforce security in its digital certificate program because, unlike other certificate authorities, it has a legal bite to back up its bark.
Misrepresentation to a postal employee is a federal crime, and postal inspectors have the guns and badges to pursue violators.