[aprssig] Certificate authentication (was: UNDEFINED?)

david vanhorn kc6ete at gmail.com
Fri May 1 20:29:48 EDT 2020 

Would it be possible to authenticate by using PGP, as a "circle of trust"?


On Fri, May 1, 2020 at 6:16 PM Nick VA3NNW <tapr at noseynick.com> wrote:

>
> >> After all, it's easy to create a 5-digit passcode,
> >> but much harder to create a valid SSL certificate from Logbook of the
> >> World.
>
> "Create a valid SSL certificate from Logbook of the World" is an
> unacceptable gate:
>
> 1) It supposes the ARRL is, in any way, the right body to authenticate
> GLOBAL ham radio license holders.
> 2) It might suppose the ARRL is the ONLY body to authenticate global ham
> radio license holders.
> 3) It seems to require downloading and running an unknown / untrusted
> binary. I've worked in IT Security for over 25 years, and seem to spend
> half my time teaching my users to *NEVER* do this sort of thing. Though
> I recognise it's an attempt to "make SSL CSRs easy", it should NOT be
> the only mechanism.
> 4) It then seems to require posting a physical copy of your license
> document to the USA, also unacceptable / impractical in many parts of
> the world.
> 5) ... *AND* "your driver's license or passport". One of these is a
> license to DRIVE, the other is an international travel document, neither
> of which are required to become a ham radio operator, or even
> particularly related to the ham radio hobby (Except you MIGHT need one
> for one type of Mobile, and the other for DXpeditions)
> 6) Under GDPR legislation, any European person is perfectly entitled to
> request that their Personally Identifiable Information (PII) never leave
> the EU and never be processed outside the EU. This already excludes them
> from LotW if they wish to exercise those rights. Are they to be banned
> from APRS-IS, or deliberately throttled, for exercising their rights as
> an EU Person too?
> 7) ... and I'm not going to pretend GDPR is the only legislation
> controlling international handling of PII either.
>
> Don't get me wrong, SSL certs are not a bad idea, I mean it's a bit of a
> notable overhead for embedded devices but they're likely going through
> other gateways (EG iGates) before reaching APRS-IS, so I suspect you'd
> be fine. (UDP by the way?)
>
> ... but SSL certs from a single CA, who requires legally-dubious export
> of PII (to the USA of all places) and who is condoning suspect security
> practices in order to generate that cert, awful idea.
>
> > There were only 2 servers in the ssl.aprs2.net pool, one of
> > which had an expired server certificate.
>
> LetsEncrypt should be absolutely fine for server certs, they're free,
> and you're only trying to prove you're "the real ssl.aprs2.net" or
> whatever.
>
> I wish there was an equally easy way to prove I'm "the real VA3NNW", but
> I don't think the ARRL is, in any way, the right body to do that,
> especially via their current mechanisms.
>
> >> Yes, this would be rough on hams in countries without easy contact to
> >> the ARRL.
> That's REALLY important. Ham radio is not just a USA hobby, it's a
> thoroughly international one, perhaps THE most international hobby there
> is   :-)
> >> I didn't propose eliminating the older
> >> authentication scheme, just making it painful enough to use that the
> >> network hijackers will go away.
>
> ... but (say) "*EMAIL* a copy of your license document, or use other
> locally-appropriate ways to verify your license to any of the following
> globally-distributed CAs" would be fine here, especially given that
> normal revocation mechanisms exist if it later turns out that someone
> has falsely obtained an invalid "Ham Cert", or indeed has their actual
> ham license revoked / expire later.
>
> > we need a push to get support on the servers, and we also need to grow
> > the list of organizations that could provide certificates.
>
> Exactly! I hereby offer to help RAC validate VE/VA certs, if they want
> my help.
>
> > One of the activities of the HamBSD project is to provide a toolkit for
> operating
> > such a CA to allow national clubs and/or regulators to take on the role
> > of certificate issuance.  https://hambsd.org/pki.html
>
> Cool, I haven't run BSD for years, but if there's any way I can help,
> let me know. I don't have masses of free time, but when I do, I'm a ham,
> crypto-hobbyist, coder (including a few APRS apps), and long-time
> InfoSec professional with CA/PKI experience available to assist   :-)
>
> Nick VA3NNW
>
> --
> "Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.
> use Std::Disclaimer;    sig at noseynick.net
> One good turn gets most of the blankets.
>
>
>
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
>


-- 
K1FZY (WA4TPW) SK  9/29/37-4/13/15
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20200501/c8099414/attachment.html>

More information about the aprssig mailing list