[aprssig] Certificate authentication (was: UNDEFINED?)

Fri May 1 20:16:05 EDT 2020

>> After all, it's easy to create a 5-digit passcode,
>> but much harder to create a valid SSL certificate from Logbook of the
>> World.

"Create a valid SSL certificate from Logbook of the World" is an
unacceptable gate:

1) It supposes the ARRL is, in any way, the right body to authenticate
GLOBAL ham radio license holders.
2) It might suppose the ARRL is the ONLY body to authenticate global ham
radio license holders.
3) It seems to require downloading and running an unknown / untrusted
binary. I've worked in IT Security for over 25 years, and seem to spend
half my time teaching my users to *NEVER* do this sort of thing. Though
I recognise it's an attempt to "make SSL CSRs easy", it should NOT be
the only mechanism.
4) It then seems to require posting a physical copy of your license
document to the USA, also unacceptable / impractical in many parts of
the world.
5) ... *AND* "your driver's license or passport". One of these is a
license to DRIVE, the other is an international travel document, neither
of which are required to become a ham radio operator, or even
particularly related to the ham radio hobby (Except you MIGHT need one
for one type of Mobile, and the other for DXpeditions)
6) Under GDPR legislation, any European person is perfectly entitled to
request that their Personally Identifiable Information (PII) never leave
the EU and never be processed outside the EU. This already excludes them
from LotW if they wish to exercise those rights. Are they to be banned
from APRS-IS, or deliberately throttled, for exercising their rights as
an EU Person too?
7) ... and I'm not going to pretend GDPR is the only legislation
controlling international handling of PII either.

Don't get me wrong, SSL certs are not a bad idea, I mean it's a bit of a
notable overhead for embedded devices but they're likely going through
other gateways (EG iGates) before reaching APRS-IS, so I suspect you'd
be fine. (UDP by the way?)

... but SSL certs from a single CA, who requires legally-dubious export
of PII (to the USA of all places) and who is condoning suspect security
practices in order to generate that cert, awful idea.

> There were only 2 servers in the ssl.aprs2.net pool, one of
> which had an expired server certificate.

LetsEncrypt should be absolutely fine for server certs, they're free,
and you're only trying to prove you're "the real ssl.aprs2.net" or whatever.

I wish there was an equally easy way to prove I'm "the real VA3NNW", but
I don't think the ARRL is, in any way, the right body to do that,
especially via their current mechanisms.

>> Yes, this would be rough on hams in countries without easy contact to
>> the ARRL.
That's REALLY important. Ham radio is not just a USA hobby, it's a
thoroughly international one, perhaps THE most international hobby there
is   :-)
>> I didn't propose eliminating the older
>> authentication scheme, just making it painful enough to use that the
>> network hijackers will go away.

... but (say) "*EMAIL* a copy of your license document, or use other
locally-appropriate ways to verify your license to any of the following
globally-distributed CAs" would be fine here, especially given that
normal revocation mechanisms exist if it later turns out that someone
has falsely obtained an invalid "Ham Cert", or indeed has their actual
ham license revoked / expire later.

> we need a push to get support on the servers, and we also need to grow
> the list of organizations that could provide certificates.

Exactly! I hereby offer to help RAC validate VE/VA certs, if they want
my help.

> One of the activities of the HamBSD project is to provide a toolkit for operating
> such a CA to allow national clubs and/or regulators to take on the role
> of certificate issuance.  https://hambsd.org/pki.html

Cool, I haven't run BSD for years, but if there's any way I can help,
let me know. I don't have masses of free time, but when I do, I'm a ham,
crypto-hobbyist, coder (including a few APRS apps), and long-time
InfoSec professional with CA/PKI experience available to assist   :-)

Nick VA3NNW

-- 
"Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.
use Std::Disclaimer;    sig at noseynick.net
One good turn gets most of the blankets.