1. Why did you pick GPLv3 as the license? Is this an ARDC requirement or a decision independently made for the Portal? Is there any chance to reconsider and pick a license like MIT, BSD, or Apache 2? I feel like the restrictions that GPL (especially v3) imposes are unnecessary.

2. It would be nice to see an API specification published in a standardized format as well, e.g. OpenAPI, to try to get a gRPC-like automatic client library generation in many languages + automatic mocks / tests for when you are developing a client. That’s a nice-to-have but low effort and high gain.

3. Regarding the ticketing system, perhaps it’s worth to explore integrating with an existing one for some of the use cases to not reinvent the wheel?

4. I would like to see WebAuthn for Security Keys with support of multiple, e.g. 8-16 keys, and not single-key only like some services. The web also seems to be moving to a passwordless future, with support for Passkeys already landed in browsers and OSes in desktop + mobile. Integrating WebAuthn for 2FA and Passkeys for passwordless login is very similar. My colleague Adam has written a very good technical post on how to implement these standards securely in case you’re interested: https://www.imperialviolet.org/2022/09/22/passkeys.html . I would also try to avoid any insecure practices like security questions to recover an account. I don’t know if I would pick SMS 2FA for a new project, although it’s better than nothing. Just make sure you don’t fall back to SMS e.g. if Security Keys / TOTP doesn’t work. I think with e-mail 2FA support the SMS option isn’t needed. People without a smartphone would still need e-mail access to login, so I don’t think it is excluding people if you do not offer it. Just be careful with WebAuthn: it is domain dependent. The blog post I link to explains this well, and also what happens if the domain of the Portal changes.

5. I agree with the other e-mails about the maidenhead. I know it’s currently a part of the old Portal, but is it really required? I would make it optional personally unless there’s a specific use case. We should practice data minimization and only collect what’s really needed now, and not require fields “just in case they’re useful in the future”. That way you’ll have to convince users they get some value out of supplying you with this information ;) It also makes the Portal more generic: networks like guifi that are not related to amateur radio can also use the software since it’s generic enough.

6. Regarding the LoT, I’d be careful with the retention of the data, as it may not be needed forever, and only during the verification. If I provided some proof only for points, and this info isn’t used anywhere else, for any other reason, maybe there’s not a lot of need in keeping it.

7. I don’t know how deep “View history” goes, but I think audit logging of every (important) action is a good feature to have. If something happens, one can go back to the file and build a timeline of events that led to the situation at hand. This doesn’t have to include PII but enough information to assist in a case.

8. I would like to see the Portal (in the future) be used to generate all the whois responses. The whois server should just serve data from the database directly, as that should be the source of truth (with a cache in the middle of course). The model of RIRs with inet{6,}num objects and person objects, etc. is very helpful to create relations.

9. Can you not delegate $callsign.ampr.org to your own servers anymore? Or is this still done manually via a ticket?

10. Does DS / DNSKEY support mean we’re getting DNSSEC for ampr.org? :) Would be nice to see that, including for rDNS, and of course for delegated zones too!

11. What is the purpose of 3.2.6.4?

12. For 3.6.3.1 I would recommend OWASP’s ASVS ( https://owasp.org/www-project-application-security-verification-standard/ ) as a guideline, and I would aim for Level 2. It doesn’t have to be followed to the letter, but it gives a good idea of a lot of important things to pay attention to. The WSTG is of course also a good resource to use in parallel.

13. I would like to see IPv6 support explicitly mentioned as a requirement, both for the software, as well as the service. The functionality (assignments, allocations) depends on what the plans and needs of ARDC are, but being able to use the Portal fully in an IPv6-only network is something I believe should be there regardless.

14. If ARDC manages to get RPKI, I would like to see the automated provision of ROAs for all BGP networks, e.g. by using the RIPE API, or if it’s self-hosted (why?) an integration with Krill (probably). Obviously something for the future.

15. For 3.6.3.2 I believe it should be “only available”. After all, a lot of modern web features (e.g. WebAuthn) don’t work without it.

That’s all, looking forward to the continuing of the development!

Antonis

On 28 Sep 2022, at 08:53, Chris Smith via 44net <44net@mailman.ampr.org> wrote:

The Level of Trust is a means to ensure that the person is a genuine, licensed radio amateur. It starts when you first register by verifying your email address, which earns you the lowest level. You then have various easy options, like adding a mobile/cellphone and verifying that to earn a few additional points, you can also verify your postal address (Google style postcard with PIN).

The next stage would be to get your licence and ID verified, this would typically be done by either a physical meeting, if someone is close enough, or (more likely) via a video meeting. The idea is that the more verification processes you go through, the higher your level of trust. So when you apply for resources all the verification is already in place. This is especially important for BGP requests as it currently takes some time to go through that process.

The ultimate goal would be to become a verifier yourself and help verify others - It’s the same model as the CA-Cert Web Of Trust.

73,
Chris - G1FEF

On 28 Sep 2022, at 06:13, Jonathan Lassoff via 44net <44net@mailman.ampr.org> wrote:

Thanks for sharing this work with the community.

Reading through it, some thoughts and questions come up:
- I'm delighted to see that accessibility and WCAG is considered.
- What is the intent of the Level Of Trust value? Is this about allowing some centralized administrative actions, or does this represent something that community members can earn and level up?
- In addition to GDPR compliance considerations, you might also consider California's similar CCPA.
- What is the intention of requiring maidenhead locators? I'm mostly just curious how the information gets used, though I suspect it would be useful to map country-granularity call signs to actual geographic areas where the subnets are assigned.

In general, this seems like a really straightforward list of requirements that all make sense in context.
Looking forward to experimenting and trying out something new.

Cheers and 73,
jof / K6BGP

On Tue, 27 Sept 2022 at 14:37, Rosy Schechter - KJ7RYV via 44net <44net@mailman.ampr.org> wrote:
Hello 44Net!

For quite some time, y'all have heard rumblings of a new portal, which
Chris has been working on bit by bit. Realizing that it's likely a
larger project than we initially thought, earlier this year the TAC took
on the task of writing a feature requirements document. This has been
the bulk of their work this year so far, and I'm really proud of the
results, which were completed just a couple weeks ago.

I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:

https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirements-Doc.pdf

Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre,
the TAC Chair, will be watching the list and answering any questions
that may come up.

Note that this document is a feature requirements document - which
outlines the features that the portal needs to have before it's
considered "done." By definition, it's *not* an engineering document;
we've purposefully not specified the exact technology we'll use to build
this out. We have, however, specified that it will be released as an
open source project as soon as we have a functional version, likely
without all features present. Ultimately this will be a project managed
by our new Director of Technology (who starts on Monday; will introduce
after he starts) and the team he assembles to carry out the build. Thus,
information like timelines, project plans, and database specifications,
etc., will follow his review of this document and any comments from this
group.

And with that, I say - happy reading! And thank you so much for your
thoughts and questions.

Looking forward,
Rosy

--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
_______________________________________________
44net mailing list -- 44net@mailman.ampr.org
To unsubscribe send an email to 44net-leave@mailman.ampr.org

_______________________________________________
44net mailing list -- 44net@mailman.ampr.org
To unsubscribe send an email to 44net-leave@mailman.ampr.org

_______________________________________________
44net mailing list -- 44net@mailman.ampr.org
To unsubscribe send an email to 44net-leave@mailman.ampr.org