Hi,
The AMPRNet might be more useful if it had:
(1) more services which would be interesting to hams
(2) more access to the AMPRNet
Tonight I tried to attack (2) a bit. Access to the AMPRNet over the
Internet could maybe be made easier to hams by allowing them to connect
over VPNs instead of setting up their own IPIP tunnels at home, or trying
to find a working radio gateway. After getting a VPN running it might be
easier for them to set up a radio gateway, or some services. As discussed
on the other mailing list, VPNs are easier to get up on NATed residential
networks than IPIP tunnels.
Setting up VPN user accounts and maintaining them can be a pain. It
doesn't take a lot of weekly or monthly maintenance work to run a VPN
service, but it can be a major pain to manage an user account database for
thousands of hams and check if your users around the Internet are, in
fact, licensed.
It turns out that ARRL's Logbook of the World has already given out
cryptographic X.509 certificates to 57334 amateur users, after verifying
their license status against the FCC database (they send a postcard with a
random token code to the FCC-listed snail-mail address to make sure they
give the certificate to the right guy) or after looking at a paper
photocopy of a license + a photo ID. I had to physically mail in a photo
of my ham license and my driver's license and wait a couple weeks to get
the cert. If they can get 50k contesters and DXers to work with
certificates, maybe certs can work for the AMPRnet, too.
Technically, we can validate if a VPN user is in possession of one of
those certificates and the respective private key. Politically, K4JH asked
the ARRL guys, and they said that they don't mind if we use them for other
ham authentication needs. We can start accepting other CAs too once they
come around. I plan to help SRAL, the Finnish amateur radio union, to set
up a CA within their web site (they already have user accounts for
members). I know ARRL isn't for everyone, but smaller clubs could set up
CAs too, or even commercial entities - as long as we trust them to do the
license validation in a proper manner.
Tonight I hacked up an OpenVPN setup which authenticates users with LoTW
certs, and wrote a little documentation:
http://wiki.ampr.org/index.php/AMPRNet_VPN
What do you think? Technically, it seems to work - try it out if you like.
It's not very straightforward to set up, but the license validation is
pretty strong, and running the service shouldn't be a lot of work. There
can be many VPN servers around the world, serving the whole customer base
(VPN servers do not need access to any central user database, they just
need the certificates of the trusted CAs). With a little Dynamic DNS
magic, you could get a oh7lzb.vpn.ampr.org hostname on DNS within a few
seconds after connecting (I've got code for that in another project).
(Yes, eventually certificates need to be revoked after they accidentally
get into wrong hands, or ham licenses are revoked. Technically that can be
done using CRLs and/or OCSP, but ARRL apparently does not do those yet.
Maybe they will, if the need arises. We can also set up a blocked
certificates list of our own.)
- Hessu, OH7LZB
