A private, ham only OpenID server?
This is similar to an idea I had several years back (2012 according to the registration for my unused domain hamauth.com), but I couldn't find anyone else at the time who was interested in it. As a result, it never won any battles for my limited availability of time to work on it. :(
The basic idea was to define various assurance levels that people could meet using various methods. Then, allow amateur radio websites and services to define what level of assurance they need and allow them the option to easily authenticate their users using a hosted service (using things like OpenID or OAuth).
Those levels could be something like:
- Identity, call sign, operating privileges, and mailing address all verified - Call sign, operating privileges, and mailing address verified (LotW gets us here) - Call sign and operating privileges verified (We can verify their license is valid, but only assume they're the legitimate holder of it until it's challenged, somewhat like how qrz.com does it) - Call sign claimed (not all countries have license info online for verifying privileges) - Non-amateur (not yet licensed)
For example, if a user can prove to us they have control over a valid LotW certificate, they would get one of the highest levels of assurance because we know the ARRL has already confirmed the validity of their license and that they can receive mail at the license address. The user would then be able to login with their call sign on just about any site that chooses to use our service for authentication. However, some sites may not choose to trust our third party service directly, so we could also be a resource on how they could setup their own authentication and verification schemes.
While it might be a pain to get a LotW certificate, they are the only organization I'm aware of that offers to authenticate amateurs from any country. It's essentially a service they created to be globally trusted in order to protect the integrity of their contests. In the past they've also expressed a willingness to allow their service to be used for other general amateur authentication purposes, so I don't think we need to worry about them objecting to anything like this.
Also, there's no reason why the ARRL has to be the only source of that trust. For example, if you have a valid client certificate loaded in your browser with your call sign in the right place, we'll accept it on the HamWAN portal ( https://encrypted.hamwan.org/ ) whether it's signed by ARRL, or of it's signed by HamWAN's own certificate authority.
If there are other organizations in other countries that can authenticate licenses in an easier fashion, we can definitely include them in the process. They way other amateur services would just need to check a box that says they trust that entity to validate users from that country.
I'm exceeded to see several others interested in this, but since it's off-topic for this reflector, please join me in the new hamauth group. ;)
Click: https://groups.io/g/hamauth
or
Email: hamauth+subscribe@groups.io
Cory NQ1E