A Digital Postmark (DPM) is a technology that applies a trusted time stamp issued by a postal operator to an electronic document, validates electronic signatures, and stores and archives all non-repudiation data needed to support a potential court challenge. It guarantees the certainty of date and time of the postmarking. This global standard was renamed the Electronic Postal Certification Mark (EPCM) in 2007[1] shortly after a new iteration of the technology was developed by Microsoft and Poste Italiane. The key addition to the traditional postmarking technology was integrity of the electronically postmarked item, meaning any kind of falsification and tampering will be easily and definitely detected.
Additionally, content confidentiality is guaranteed since document certification is carried out without access or reading by the postal operator. The EPCM will eventually be available through the UPU to all international postal operators in the 191 member countries willing to be compliant with this standard, thus granting interoperability in certified communications between postal operators. In the United States, the US Postal Service operates a non-global standard called the Electronic Postmark, although it is soon expected to provide services utilizing the EPCM.[2]
In the United States, until the end of 2010, Authentidate was the only authorized USPS EPM provider.[3] However, this contract was allowed to expire.[4]
- An electronic document is created
- Digital Postmarking client software signs the document locally
- The signed document is sent to the Digital Postmarking (DPM) service for postmarking
- Upon receipt, the DPM service first validates the authenticity of the signature
- If the signature is valid then a timestamp is generated by the DPM service as a counter-signature that includes the date and time
- The document, signature, validation results and timestamp are stored in the Digital Postmark non-repudiation database
- A Digital Postmark Receipt, including the validation results and the timestamp, is returned to the client software
- The client software wraps the original document with the DPM receipt
- To verify the signature, local cryptographic verification can do a quick check of integrity or the full receipt or even the original document can be retrieved from the DPM service using the XML Verify request by other parties at a later date and compared with the receipt stored with the document.[5]
The DPM is fundamentally a non-repudiation service supporting[6] designed to protect the sanctity of mail in its digital form:
- Digital signature verification
- Timestamping of successfully verified signatures
- Standalone timestamping
- Encryption
- Validation of certificate trust chains
- Storage and archival of all non-repudiation evidence data required to support subsequent challenges
- Legal significance. In addition to federal and state legislative frameworks, the DPM holds legal weight with respect to the following legislation, which have been established to encourage people to form and sign contracts and agreements electronically:
Working with current infrastructure, it is easy to implement - providing functionality even with no client-side software, and provides automated functionality with client software.
Additional benefits
- Proactive differentiation "good" email from spam and phishing.
- Improved service quality by applying the same standards that govern physical mail to email.
- Stronger authentication than other standards such as (Sender ID and DKIM).
- Compliance with all federal laws and regulations.
- Postal operator enforcement: Mail fraud is virtually non-existent with physical mail due to the legal framework and the vigorous efforts of the U.S. Postal Inspection Service. Digital Postmarks have the same legal recourse for email fraud as for physical mail fraud.
- Significant mailing cost reduction to only a few cents.
The Digital Postmark can be used for a variety of business applications:
- signing Web forms and documents
- delivery of secure documents
- interpersonal messaging
Key dates in the development of the digital postmark:[7]
- 1998–1999
- 1999
- The UPU Standards Board begins the process to develop a global technical standard (S43) for the digital postmark.
- 2001
- A workshop hosted by USPS decides on a consistent visual image for digital postmarks offered by Posts.
- 2002
- USPS launches its digital postmark, the "Electronic Postmark". Development work on the S43 standard is completed. Microsoft agrees to define and produce an interface in W2000/XP and Office 2000 and XP 2003 to support the digital postmark.
- 2003
- The UPU Standards Board formally adopts the S43 standard (See article) Archived 2007-06-11 at the Wayback Machine.
- It defined a technical standard – "S43 - Electronic PostMark Interface" – which was approved by the UPU Standards Board in November 2003 as a technical standard for the postal industry.
- Portugal’s postal service launches a legally recognized digital postmarks service.
- 2004
- The UPU Congress adopts a proposal to amend the UPU Convention to legally define the digital postmark, formally recognizing it as a new optional postal service.
- September: The UPU Legally Defined the EPM as a Postal Service (See article)
- This makes the EPM an optional postal service for UPU member countries, placing the EPM in the same category as Express Mail.
- The UPU definition provides international technological and enforcement standards Archived 2008-11-03 at the Wayback Machine.
- 2005
- Adobe agrees to support the inclusion of the digital postmark.
- La Poste France develops an S43-based digital postmark server. It is used as early as 2006.
- 2006
- The UPU Standards Board approves version 3 of the standard S43, the first to enable cross-border and global traffic using digital postmarks.
- January: The UPU Approved a DPM Regulation (See article)[permanent dead link]. This regulation was passed as an amendment with the letter mail regulation.
- Every postal service has a UPU regulation that manages the service and regulates how the posts will cooperate in that service. This makes it easier to assist member countries in developing the market for worldwide digital postmark services.
- This DPM Regulation has dramatically increased interest in the EPM worldwide.
- Poste Italiane develops a plug-in to enable Microsoft Office users to connect to a backend server, which delivers digital postmarks that comply with the UPU’s S43 technical standard.
- 2007
- April: The UPU Approved the renaming of Digital postmark to Electronic Postal Certification Mark EPCM
Recognizing the great potential of the Digital Postmark, numerous postal administrations worldwide have begun deploying DPM-based solutions. Five postal services – Canada, France, Italy, Portugal and the United States – have developed their own digital postmark and use it today. Major software developers are also working to incorporate the global standard into popular applications used by millions of people worldwide.[7]
- United States (first launched EPM in 1996; current EPM released March 2003)[8]
- France (first launch in 1999)
- Canada (launched 1st quarter 2003)
- Portugal (launched September 2003)
- Italy (launched 2005 by Poste Italiane as Posteitaliane.mail, now Posteitaliane.post)
- Egypt (contracted with provider 1st quarter 2005)
- Switzerland (contracted with provider July 2005)
- Brazil (contracted with provider 2004)
- China (preparing to launch)
- Netherlands (preparing to launch)
- United Kingdom (preparing to launch)
The Universal Postal Union (UPU) has identified trust services as the greatest opportunity for global postal growth. Specifically, they identified the Digital Postmark as the most important trust service; providing an excellent defense against online fraud and abuse.[citation needed]
The United States Postal Service (USPS) Electronic Postmark (EPM©) is a proprietary variation of the Digital Postmark issued by the USPS. It was introduced in 1996 by the U.S. Postal Service as a service offering that provides proof of integrity and authentication for electronic transactions.
Through the USPS EPM web-based service, any third-party can verify the authenticity of electronic content. This electronic proof, postmarked by the Postal Service, provides evidence to support non-repudiation of electronic transactions. The EPM is designed to deter and detect the fraudulent tampering or altering of electronic data.
Key features
The USPS wrote that the key features of their Electronic Postmark are:
- Content authentication web-based service (based upon American Bar Association PKI Guidelines) proves document authenticity and timestamp accuracy to detect and prevent fraud.
- Integrates easily into existing applications with standard-based interfaces.
- Verify options include; local (self contained) & centralized (Internet based).
- Verification is free.
- 128 Bit SSL encryption insuring privacy and security of communications.
- Data stays private. Service never has access to your content and requires no modification or transmission of content. (only a hash code of the file is logged as evidence of authenticity.)[9]
US legal environment
The USPS listed laws relevant to EPM as follows:
- 18 U.S.C. §1343 Wire Fraud
- 18 U.S.C. §2701 Electronic Communications Privacy Act (ECPA)
- 18 U.S.C. §2510 regarding electronic communications. Definitions (17)Electronic storage means
- (A) any temporary, intermediate storage of a wire or electronic communication incident to the electronic transmission thereof
- (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.
- 18 U.S.C. §2710 regarding unlawful access to stored electronic communications
- 18 U.S.C. §1028, Fraud and related activity in connection with identification documents and information
- 18 U.S.C. §1029, Fraud and related activity in connection with access devices.[10]
Other definitions
A Digital Postmark (DPM) is also a network security mechanism, developed by Penn State researchers Ihab Hamadeh and George Kesidis, to identify which region a packet or a set of packets comes from. It was developed as a way to combat spam and denial-of-service (virus) attacks by isolating the source of such attacks, while still allowing "good" messages to pass through.
A digital postmark works when a perimeter router marks up a packet border with its region-identifying data. Also called a "border router packet marking", it uses an obsolete or unused portion of the packet to place the regional mark-up. When room does not exist in any one portion of the packet, the region information can be broken up and hashed in a subsequently retrievable way.