[aprssig] Certificate authentication (was: UNDEFINED?)

Heikki Hannikainen hessu at hes.iki.fi
Sat May 2 02:56:27 EDT 2020 

On Fri, 1 May 2020, Nick VA3NNW wrote:

> "Create a valid SSL certificate from Logbook of the World" is an
> unacceptable gate:
>
> 1) It supposes the ARRL is, in any way, the right body to authenticate
> GLOBAL ham radio license holders.
> 2) It might suppose the ARRL is the ONLY body to authenticate global ham
> radio license holders.

Nick,

My original proposal that I presented in DCC 2013 about this suggested 
using a number of CAs, *one* of which would be LotW, because LotW is 
already available to a large ham population and it saves us a lot of work.

Of course it would only be logical to start accepting certificates from 
other CAs which promise to validate licenses and give out certs. There 
could be CAs from clubs and national organisations, or maybe even 
individual volunteers running CAs (perhaps software authors which have 
previously been checking licenses and giving out passcodes).

But LotW is already there and it's a good option for a lot of people since 
they've already got it set up.

> 3) It seems to require downloading and running an unknown / untrusted
> binary.

Oh come on, only few nerds download and compile source code, and even 
*very* *few* nerds read through all of the source code before compiling 
and executing it. I'm in the IT security business too, but I think we 
should try to stay somewhat realistic.

> 4) It then seems to require posting a physical copy of your license
> document to the USA, also unacceptable / impractical in many parts of
> the world.

It seems like you didn't research the topic a lot. They used to require 
that, but it changed a few years back (I don't know when exactly, but 
it's been a while).

https://lotw.arrl.org/lotw-help/authentication/?lang=en says:

"This documentation can either be emailed to the ARRL, or can be presented 
in person to an in-country ARRL DXCC Card Checker, or can be sent by 
postal mail to the ARRL."

> 5) ... *AND* "your driver's license or passport". One of these is a
> license to DRIVE, the other is an international travel document, neither

I kind of understand that they try to make it a little bit harder to fake 
the license document by requiring additional proof of identity, but yeah, 
utility bills are easy to fake too. I sent in my Finnish electricity bill 
for laughs in 2012 or 2013 and I'm sure they could not decipher much of 
it. :)

> 6) Under GDPR legislation, any European person is perfectly entitled to
> request that their Personally Identifiable Information (PII) never leave
> the EU and never be processed outside the EU. This already excludes them
> from LotW if they wish to exercise those rights. Are they to be banned
> from APRS-IS, or deliberately throttled, for exercising their rights as
> an EU Person too?

No, the GDPR does not have such a requirement. There's a lot of 
misinformation floating around GDPR. Here's a good short FAQ set to read:

https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm#shortcut-6

"When personal data is transferred outside the EU, the protection offered 
by the GDPR should travel with the data. This means that if you export 
data abroad, your company must ensure one of the following measures are 
adhered to:" ... and then goes on to describe that the data must be still 
handled and protected as the GDPR requires.

> Don't get me wrong, SSL certs are not a bad idea, I mean it's a bit of a
> notable overhead for embedded devices but they're likely going through
> other gateways (EG iGates) before reaching APRS-IS, so I suspect you'd
> be fine. (UDP by the way?)

DTLS is there for UDP :)

Embedded devices are pretty powerful these days too, especially those 
which have wifi built in. TLS/SSL is not completely impossible and it's a 
must-have item for embedded things on the Internet anyway already.

I agree there's plenty of overhead and difficulties. I'm expecting more 
difficulties with TLS use on amateur radio frequencies (Hamnet) where 
encryption is not allowed, since the TLS libraries and standards are 
removing the possibility to disable encryption and just use the 
authentication parts of the protocol. In the Internet there have been too 
many accidents where software was incorrectly built or configured and 
would accidentally accept NULL crypto algorithms.

> ... but SSL certs from a single CA, who requires legally-dubious export
> of PII (to the USA of all places) and who is condoning suspect security
> practices in order to generate that cert, awful idea.

It'd be silly to only accept a single CA. There should be the possibility 
to set up other CAs, and have them accepted.

I didn't export any PII other than my name, callsign, physical and email 
address when requesting a LOTW cert, and I'm totally fine with that. Oh 
and our electricity use for a couple months of year 2013. Little more than 
what's on qrz.com.

   - Hessu, OH7LZB/AF5QT

More information about the aprssig mailing list