[Federal Register: August 27, 1997 (Volume 62, Number 166)]
[Notices]
[Page 45471-45473]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27au97-133]

=======================================================================
-----------------------------------------------------------------------

POSTAL SERVICE


Specifications for Information Based Indicia Program (IBIP)
Postal Security Devices and Indicia (Postmarks)

AGENCY: Postal Service.

ACTION: Notice of USPS response to public comments and availability of
Specifications.

-----------------------------------------------------------------------

SUMMARY: The Postal Service received hundreds of comments in response
to our Federal Register notices on the draft specifications for
Information Based Indicia Program Postal Security Device (PSD) and
Indicium. The Postal Service has reviewed all those comments and
developed a response. Some of the comments were within the scope of the
draft proposed specifications and some of the comments were not. Those
within the scope of the draft proposed specifications have responses
included herein. Those outside the scope of the draft proposed
specifications will be included in subsequent responses. Some of the
topics not dealt with herein include key management, host system
specifications, cash management, certificate authority, product life-
cycle management, mail classes, customer usage requirements, market
research, procurement policy, product submission requirements, product/
service provider infrastructure, and program development activities.

ADDRESSES: Copies of the draft PSD and Indicium specifications dated
July 23, 1997, may be obtained from Ed Zelickman, United States Postal
Service, 475 L'Enfant Plaza SW Room 1P801, Washington, DC 20260-6807.
Comments should be submitted to the same address. These documents
supersede all previously issued Indicium and PSD Specifications. Copies
of all written comments may be inspected between 9 a.m. and 4 p.m.,
Monday through Friday, at the above address.

DATES: All written comments must be received on or before October 27,
1997.

FOR FURTHER INFORMATION CONTACT: Ed Zelickman at (202) 268-3940.

SUPPLEMENTARY INFORMATION: The Postal Service received hundreds of
comments on the proposed draft Information Based Indicia Program
(IBIP) Indicia and Postal Security Device specifications (62 FR
37631, July 14, 1997). Those outside the scope of the draft
proposed specifications will be dealt with in subsequent
specifications and documents and will not be addressed herein.

Indicium Specification

    Many comments were received regarding Indicium data contents.
Generally, these comments fall into six categories:

1. Reserve Field Usage

    The specific use of the reserved field has not been defined.
Product Service Providers are welcome to suggest how the customer or
service provider could best use this field. This field was installed in
the indicia data set as a customer defined field.

2. The PSD Certificate in the Indicium

    The USPS has included in the initial draft the PSD certificate in
the indicia. The removal of the certificate in subsequent releases of
these specifications is dependent upon the key management
infrastructure.

3. Size and Format of the Indicium Fields

    The USPS feels that all fields (except the reserve field) in the
indicia contribute to either the security/verification of the indicia
or the audit control of IBIP products. We will continue to explore
replacement methods in an effort to reduce indicia size.

4. Rate Category Definition

    The Rate category is defined in the draft DMM and CFR policies and
is not defined in these documents.

5. Ascending Register as a Data Element

    The ascending register along with the device ID provides absolute
uniqueness to each indicium. The inclusion of the ascending register
also provides one audit control data element.

6. Special Purpose Field

    The special purpose field is included as an audit control field.
This data element within the barcode should match the human readable
value on the mailpiece. If these two do not match, this could be a
fraud indicator.
    Many comments were received regarding the use of digital signatures
and associated technology. Specifically, a question arose on use of
varying hash

[[Page 45472]]

functions within a given digital signature algorithm. Additionally, use
of alternate algorithms was suggested.
    Recent discoveries concerning the use of one of the hash functions
(MD5) specified in the PSD specification have prompted the USPS to
modify the requirements to read that the hash function required is now
SHA-1. The specification also indicates that the USPS will consider
other equally secure digital signature algorithms. These changes will
be included in the next release of the specifications.
    A few comments were received regarding the selection of the error
correction level.
    The recommended minimum error correction level was selected based
on the data capacity of the Indicium. Product service providers are at
liberty to use a higher error correction level. If additional data is
added to the Indicium, the error correction level must be chosen to
comply with the PDF417 standard.
    A few comments were received regarding envelope issues.
    There is no requirement for indicia to be printed directly on the
envelopes. Indicia could be printed on labels and those labels
subsequently applied to envelopes, or indicia-window envelopes could be
used.
    Numerous comments were received regarding the size and position of
the Indicium on the mailpiece.
    The PDF 417 barcode symbology offers great flexibility in tailoring
its dimensions to the particular application. The 2-inch maximum
barcode width was chosen so as not to infringe on the FIM or the OCR
region. The X dimension feature size was the minimum considered
acceptable for processing using USPS equipment. Larger feature sizes
can be used at the discretion of the product service provider to
achieve the specified read rates. However, other issues such as
printing technologies, paper physics, and required read rates should
also be considered by the product service provider to arrive at an
appropriate rate. All issues regarding positioning, format, and content
of the envelope should be referred to the DMM, which is being updated
to include provisions for IBIP. The Indicium must be visible from the
front of the mailpiece. The Postal Service will continue to explore
methods to minimize real estate requirements on envelopes while
continuing to satisfy security, audit and control, administration, and
customer value-added functions. Our position will be reflected in the
next version of the specifications.
    Numerous comments were received regarding reflectance issues.
    All issues regarding ink, reflectance and fluorescence should be
referred to the DMM, which is being updated to include provisions for
IBIP. The product service provider must evaluate the Indicium to ensure
USPS readability and quality specifications are met. The product
service provider is required to correct any deficiencies that are
discovered from this evaluation.
    A few comments were received regarding the minimum and maximum
postage value issue.
    These values will be set by USPS policy.
    Numerous comments were received regarding the aesthetics of the
sample Indicium.
    Use of IBIP indicia is not mandatory; the Information Based Indicia
represents a fourth form of postage. Design of mailpieces with regard
to evidence of postage is left to the discretion of the product service
provider so long as it is a USPS-recognized form of postage. As a
result, the IBIP indicia design is left to the discretion of the
product service provider so long as it is in compliance with the
Indicium Specification and the Domestic Mail Manual (DMM).
    Numerous comments were received regarding print contrast ratio
issues.
    IBIP does not limit requirements for paper selection and printing
options. We encourage mailers to take sample mailpieces to their
product service provider for evaluation. Mailpiece design analysis will
determine pass or fail on a case-by-case basis.
    A few comments were received regarding a Postal Service pre-
disposition on print technology. No specific technology has been
assumed for printing of the new indicia.
    Numerous comments were received regarding readability rate.
    Mail submitted must comply with USPS read rate regulations. The
readability of a barcode that represents postage is quite a different
issue than reading a Postnet barcode. There are a number of modifiable
factors that contribute to the readability of a barcode, and the
product service provider must weigh the advantages and disadvantages of
the particular path they have chosen to implement IBIP products.
    Many comments were received regarding the selection of PDF-417 as
the two-dimensional symbology.
    Alternate symbologies may be submitted for consideration, as part
of product/service provider proposals.
    Several comments were received regarding barcode characteristics.
    Most of the comments received concerned the specifications of a
minimum mil feature size with a statement of concern that it was too
small because it would lead to the USPS' not being able to achieve a
99.9 percent read rate. The USPS plans to hand scan/sample mailpieces
in the initial phases of the IBIP program. The USPS will consider
raising the minimum X dimension to 15 mils. With regard to the
alignment (skew) tolerance of the barcode, the USPS has not specified
the tolerance levels at this time.
    Many comments were received regarding the requirement to use the
facing identification mark (FIM). Additionally, comments were made
suggesting changes to the existing FIM printing requirements because of
the difficulty of printing close to the edge of an envelope.
    FIM marks are needed for any IBIP mail subject to entry through our
opening 010 operation. This includes mail dropped in collection boxes.
No changes to existing FIM requirements are proposed in this
rulemaking.
    Many comments were received regarding the applicability of
automation requirements to First-Class Mail.
    In order to provide customer capabilities to print evidence of
postage using open systems including use of current desktop laser and
ink jet printing technologies, fluorescent ink is not required. To
compensate the handling of these mailpieces for facing, a facing
identification mark (FIM) is required for IBIP mail. The requirement
for inclusion of delivery point barcode and standardized addresses is
for IBIP open systems only. This is a security-based requirement.
    A few comments were received regarding mailpiece design issues.
    The USPS is not contemplating address block placement of the IBI
symbology on letter/flat mail at this time. The USPS will entertain the
placement of the indicia in a window of an envelope in the upper right
corner as long as the read rate is met.
    A few comments were received regarding use of ink types.
    If fluorescent ink is used, the facing identification mark is not
required. Additionally, black ink is not required per se. It is the
intent of IBIP for indicia to be produced using black ink.
    Several questions and comments were received regarding key lengths
with the digital signature. Some comments argued that the key length
proposed is unnecessarily strong, increasing computation requirements
and indicia

[[Page 45473]]

size and resulting in more expensive meters.
    The key lengths chosen were selected to ensure adequate device
lifetime against cryptographic attack.
    Many comments were received regarding intellectual property and
patent issues.
    The specifications included references to intellectual property and
patent issues to remind product service providers that technologies
they chose to use in implementing IBIP may be subject to third party
intellectual property rights. By including or referring to any specific
technology in the specifications, the USPS does not purport to grant
product service providers the right to use such technologies. The
indemnification provision is included to protect the USPS against
claims by third parties that a particular product service provider's
product infringes third party intellectual property rights. Product
service providers are responsible for securing any right, such as
license rights, that may be necessary to develop IBIP systems.
    The USPS is internally studying intellectual property issues that
may be raised by the specifications based on USPS use of this
technology. The USPS does not intend to release the results of our
internal studies at this time. The USPS will consider amendments to the
specifications that may be helpful to the product service provider
community and the public in avoiding or resolving intellectual property
issues. Product service providers are encouraged to bring any known
issues to USPS' attention as soon as possible.

Postal Security Device Specification

    A few questions were received regarding postage loading amounts and
the maximum and minimum postage value.
    It is not the intent of section 3.2.1.5 of the Draft PSD
specification to imply that only rate break postage can be selected.
The maximum and minimum postage value will be announced in the policy
documents.
    A few questions were received regarding the print function and
whether the print functions are to be controlled by the PSD.
    The PSD specifications do not state that the PSD controls the print
function.
    A few comments were received regarding the use of the transaction
ID. The transaction ID is PSD unique. All messages containing the
transaction ID will be signed.
    Many comments were received regarding the use of the term ``IBIP
Infrastructure'' and its definition.
    The use of the term IBIP Infrastructure in the document was
generalized at the time of the writing of the document to be referable
to either the USPS or the product service provider. For further
definition of the responsibilities of these, the Product Service
Provider should contact the USPS under the Interim Product Submission
Procedures. The proposed draft IBIP specifications are written with
respect to a target system that assumes that a USPS infrastructure is
in place to handle postage download, device audit, and other
interactions. Until that infrastructure is in place, an interim product
service provider-focused system will be used.
    Many comments were received regarding resetting functions.
    At this time all postage value downloads or resettings will be
handled by the product service providers through CMRS. All details for
this issue can be found in draft CFR section 502.26, Computerized
Remote Postage Resetting, and in The Cash Management Operating
Specifications for the Computerized Remote Postage Meter Resetting
System.
    Several comments were received regarding the device audit message.
    Because of the digital signature creation and verification process
that the Device Audit Message will be subjected to, both the format and
content of this message must be specified.
    Many comments were received regarding PSD functionality.
    The PSD will not be a general signature device, it will be used
only for IBIP signatures. Additionally, the PSD is anticipated to be
limited to the functionality detailed in the PSD specification. This
will be reflected in the next iteration of the PSD documentation. In
terms of remote loading of cryptographic keys into the PSD, the Postal
Service is considering the possibility of this action. Our response
will be reflected in the soon to be published draft Key Management
Plan.
    Several comments were received requiring PSD specification
clarification.
    The proposed draft IBIP specifications are written with respect to
a target system that assumes that a USPS infrastructure is in place to
handle postage download and device audit, among other things. Until
that infrastructure is in place, an interim product service provider-
centric system will be used.
    A comment was received regarding device authorization.
    When security is an issue, the USPS has a vested interest in the
communications link between the customer and the product service
provider even though the product service provider may own both ends of
that communication circuit. All such communications, formats,
protocols, and content will be subject to the approval of the USPS or
its representatives.
    A comment was received regarding the watchdog timer function.
    Yes, the watchdog timer is reset only after a successful device
audit.
    A large number of comments were received regarding PSD physical
characteristics and FIPS 140-1 certification.
    The PSD must conform to the FIPS 140-1 requirements. All questions
concerning FIPS validation testing should be directed to the specific
NIST Cryptographic Module Testing laboratory chosen by the product
service provider for validation testing. For further explanation
regarding specific PSD design issues, please contact one of the NIST
certified labs.
    One comment was received regarding PSD testing. Testing of the PSD
by the product service provider should ensure that the registers cannot
be altered except as specified in the PSD specification.
Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 97-22695 Filed 8-26-97; 8:45 am]
BILLING CODE 7710-12-P