This section provides a general overview of the responsibilities of the Postal
Service RAs, Service Providers, Applicants, and Relying Parties in the
context of IPP. Additional obligations may be set forth in other contracts or in
policies promulgated by a Service Provider. Applicants and Relying Parties
must read all relevant documentation before applying for, accepting, using, or
relying on digital certificates.
The Postal Service will provide that IPP is performed only by IPP RAs who
are obligated to comply with this policy.
The Postal Service shall provide a specification for the creation of identity
verification (IDVF) forms (PS Form 2001, forthcoming) by Service Providers.
The IPP RA is responsible for the performance of IPP in accordance with the
policy contained in this document and the procedure specified below.
For each IDVF form presented by an Applicant at a participating retail office,
an IPP RA will do the following:
a. Compare the identifying documents listed on the IDVF form with those
presented by the Applicant, and compare the Applicant's physical
appearance with the photographic image contained on the identifying
documents.
b. Observe the Applicant's signing of the IDVF form.
c. Apply a round date stamp to the IDVF form.
d. Initial the IDVF form.
e. Place the IDVF form (PS Form 2001, forthcoming) in the accountable
mail bin.
At the end of each day, the unit manager (or his or her designee) retrieves all
IDVF forms, scans the barcode on each form with the Mobile Data Collection
Device (MDCD) scanner, and mails the original IDVF forms to the appropriate
Service Provider at the address preprinted on the IDVF form using a
letter-sized window envelope with G-10 permit.
On a nightly basis, the Postal Service transmits to each Service Provider a
record of all barcodes scanned at participating retail offices from IDVF forms
generated by that Service Provider.
A Service Provider shall do the following:
a. Enter into an IPP Service Agreement with the Postal Service before
offering the IPP service.
b. Require all Applicants to meet the requirements of Section 1.3.3 of this
document.
c. Retain the original signed IDVF forms mailed by the Postal Service to
the Service Provider for a period of 7 years.
d. Provide access to the completed IDVF forms, Applicant data, and
IPP-related financial activity information at the request of United States
Postal Inspection Service or the Postal Service Office of Inspector
General for review, audit, and investigative purposes.
e. Maintain IPP financial activity records sufficient to produce and
reconcile monthly reports and payments to the Postal Service.
f. Incorporate this policy by reference into the primary policy document
(e.g., certificate policy) used by the Service Provider to govern the
operation of its service.
g. Incorporate the IDVF form specification defined by the Postal Service
into the design and operation of the Service Provider's identity
verification process.
h. Produce sample IDVF forms to be used by the Postal Service for
compliance testing.
i. Issue IDVF barcodes within the defined range of sequence numbers
supplied by the Postal Service and listed in the IPP Service Agreement.
j. Provide customer support for Applicants.
k. Include the following in its identity verification process:
(1) A verification of the Applicant's physical residential address via
First-Class MailŪ with a "Return Service Requested"
endorsement.
(2) Use of a Patriot Act-compliant database vetting process to gain
initial assurance of an Applicant's identity before sending the
Applicant to the Post Office for IPP.
l. Verify that the Applicant has undergone IPP within the 4 years
immediately preceding the issuance of any digital certificate supported
by IPP.
m. Publish its certificate policy related to its issuance of digital certificates
supported by IPP and make that policy freely available so that Relying
Parties and Applicants can determine whether the digital certificate is
suitable for an intended use.
n. Enter into an agreement with the Postal Service that includes standard
pricing, service level commitments, IPP Policy compliance, and liability
and service termination provisions, as well as such other terms and
conditions as may be included.
o. Have sufficient privacy and security safeguards that meet the approval
of the Postal Service.
p. Operate the CA to enable the broadest practical use of IPP-based
digital certificates. This includes the following:
(1) Issuing, at a minimum, a daily certificate revocation list to better
allow users to rely upon the certificates.
(2) Passing an external CA audit in accordance with industry best
practices, such as "AICPA/CICA WebTrust Program for Certificate
Authorities."
(3) Achieving interoperability with the Federal Bridge for Certificate
Authorities.
(4) Mapping the common object identifier (USPS-registered OID) for
IPP-based digital certificates into the policy mapping extension of
the digital certificate. The official OID is as follows:
2.16.840.1.113901.175 - ID Verified by the US Postal Service
An Applicant must do the following:
a. Agree to abide by the policy contained in this document and the Service
Provider's policies and related agreements, which incorporate this
policy.
b. Attest to the accuracy of any information provided by the Applicant and
the authenticity of the identification documents presented by the
Applicant to an IPP RA by signing the IDVF form in the presence of the
IPP RA.
Before relying on a digital certificate supported by IPP a Relying Party must
do the following:
a. Read this document and the Service Provider's published policies,
which incorporate the policy contained in this document.
b. Abide by any restrictions imposed by the Service Provider in its
published policies regarding who may rely on a digital certificate and
the purposes for which a digital certificate supported by IPP may be
used.
|