On 2014-04-17 10:50, Don Fanning wrote:
How do I know the packet you are sending me is really a LOTW public certificate? You could be sending secrets against J. Edgar Hoover!
I assume this works the same as SSL certificates for web sites:
1. You generate your own public/private key pair. 2. You send the *public* key to a certification authority (in my case StartSSL.com for web certificates).. 3. The certification authority signs it with their *private* key and sends it back to you as a *public* certificate, which you then provide to anyone who requests it for your authentication. 4. Another user who wishes to verify your authentication, obtains from you (eg, via the browser) your *public*, signed certificate. 5. The browser has pre-installed the *public* certificate of several certification authorities, and of course, you can also install the public certificate of any other certification authority that you choose to trust. Eg, CAcert.org signs keys of requestors, but since it is not approved by the major browsers, users who wish to authenticate those who have a CAcert-signed certificate, have to install the CAcert.org public certificate (if they trust it to properly validate their users). 6. The browser uses the public certificate of the certification authority to verify that the certificate your web site provided as part of the handshake, is "valid". In particular, the browser verifies the host/domain name of the web site with the host/domain name installed in your public certificate. Your private key is also used as part of the handshake, to verify that your public certificate is not being used by another site masquerading as you.
So, with regard to the LOTW certificates: All that is needed to verify a user is his/her LOTW public certificate, plus the ARRL public certificate (while you can obtain on your own). A little bit of handshaking is needed like the browser does, but that's it.
If this does not work, I think we need to tell Bruce Schneier ASAP ...