<div dir="ltr"><div>Would it be possible to authenticate by using PGP, as a "circle of trust"? <br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 1, 2020 at 6:16 PM Nick VA3NNW <<a href="mailto:tapr@noseynick.com">tapr@noseynick.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
>> After all, it's easy to create a 5-digit passcode,<br>
>> but much harder to create a valid SSL certificate from Logbook of the<br>
>> World.<br>
<br>
"Create a valid SSL certificate from Logbook of the World" is an<br>
unacceptable gate:<br>
<br>
1) It supposes the ARRL is, in any way, the right body to authenticate<br>
GLOBAL ham radio license holders.<br>
2) It might suppose the ARRL is the ONLY body to authenticate global ham<br>
radio license holders.<br>
3) It seems to require downloading and running an unknown / untrusted<br>
binary. I've worked in IT Security for over 25 years, and seem to spend<br>
half my time teaching my users to *NEVER* do this sort of thing. Though<br>
I recognise it's an attempt to "make SSL CSRs easy", it should NOT be<br>
the only mechanism.<br>
4) It then seems to require posting a physical copy of your license<br>
document to the USA, also unacceptable / impractical in many parts of<br>
the world.<br>
5) ... *AND* "your driver's license or passport". One of these is a<br>
license to DRIVE, the other is an international travel document, neither<br>
of which are required to become a ham radio operator, or even<br>
particularly related to the ham radio hobby (Except you MIGHT need one<br>
for one type of Mobile, and the other for DXpeditions)<br>
6) Under GDPR legislation, any European person is perfectly entitled to<br>
request that their Personally Identifiable Information (PII) never leave<br>
the EU and never be processed outside the EU. This already excludes them<br>
from LotW if they wish to exercise those rights. Are they to be banned<br>
from APRS-IS, or deliberately throttled, for exercising their rights as<br>
an EU Person too?<br>
7) ... and I'm not going to pretend GDPR is the only legislation<br>
controlling international handling of PII either.<br>
<br>
Don't get me wrong, SSL certs are not a bad idea, I mean it's a bit of a<br>
notable overhead for embedded devices but they're likely going through<br>
other gateways (EG iGates) before reaching APRS-IS, so I suspect you'd<br>
be fine. (UDP by the way?)<br>
<br>
... but SSL certs from a single CA, who requires legally-dubious export<br>
of PII (to the USA of all places) and who is condoning suspect security<br>
practices in order to generate that cert, awful idea.<br>
<br>
> There were only 2 servers in the <a href="http://ssl.aprs2.net" rel="noreferrer" target="_blank">ssl.aprs2.net</a> pool, one of<br>
> which had an expired server certificate.<br>
<br>
LetsEncrypt should be absolutely fine for server certs, they're free,<br>
and you're only trying to prove you're "the real <a href="http://ssl.aprs2.net" rel="noreferrer" target="_blank">ssl.aprs2.net</a>" or whatever.<br>
<br>
I wish there was an equally easy way to prove I'm "the real VA3NNW", but<br>
I don't think the ARRL is, in any way, the right body to do that,<br>
especially via their current mechanisms.<br>
<br>
>> Yes, this would be rough on hams in countries without easy contact to<br>
>> the ARRL.<br>
That's REALLY important. Ham radio is not just a USA hobby, it's a<br>
thoroughly international one, perhaps THE most international hobby there<br>
is :-)<br>
>> I didn't propose eliminating the older<br>
>> authentication scheme, just making it painful enough to use that the<br>
>> network hijackers will go away.<br>
<br>
... but (say) "*EMAIL* a copy of your license document, or use other<br>
locally-appropriate ways to verify your license to any of the following<br>
globally-distributed CAs" would be fine here, especially given that<br>
normal revocation mechanisms exist if it later turns out that someone<br>
has falsely obtained an invalid "Ham Cert", or indeed has their actual<br>
ham license revoked / expire later.<br>
<br>
> we need a push to get support on the servers, and we also need to grow<br>
> the list of organizations that could provide certificates.<br>
<br>
Exactly! I hereby offer to help RAC validate VE/VA certs, if they want<br>
my help.<br>
<br>
> One of the activities of the HamBSD project is to provide a toolkit for operating<br>
> such a CA to allow national clubs and/or regulators to take on the role<br>
> of certificate issuance. <a href="https://hambsd.org/pki.html" rel="noreferrer" target="_blank">https://hambsd.org/pki.html</a><br>
<br>
Cool, I haven't run BSD for years, but if there's any way I can help,<br>
let me know. I don't have masses of free time, but when I do, I'm a ham,<br>
crypto-hobbyist, coder (including a few APRS apps), and long-time<br>
InfoSec professional with CA/PKI experience available to assist :-)<br>
<br>
Nick VA3NNW<br>
<br>
-- <br>
"Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.<br>
use Std::Disclaimer; <a href="mailto:sig@noseynick.net" target="_blank">sig@noseynick.net</a><br>
One good turn gets most of the blankets.<br>
<br>
<br>
<br>
_______________________________________________<br>
aprssig mailing list<br>
<a href="mailto:aprssig@lists.tapr.org" target="_blank">aprssig@lists.tapr.org</a><br>
<a href="http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org" rel="noreferrer" target="_blank">http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">K1FZY (WA4TPW) SK 9/29/37-4/13/15<br></div></div>