17 Apr
2014
17 Apr
'14
12:22 p.m.
Time and again there appear suggestions for using that LOTW certificate for other things
then LOTW.
I don't know if you are aware, but not everyone is an ARRL member or uses LOTW.
So, as long as things like APRS have absolutely nothing to do with ARRL, please keep them
apart.
Marius, YO2LOJ
17 Apr
17 Apr
12:30 p.m.
New subject: Test New Tool - APRS Code Recovery
On Thu, Apr 17, 2014 at 9:22 AM, Marius Petrescu <marius(a)yo2loj.ro> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Time and again there appear suggestions for using that LOTW certificate for other things
then LOTW.
I don't know if you are aware, but not everyone is an ARRL member or uses LOTW.
So, as long as things like APRS have absolutely nothing to do with ARRL, please keep them
apart.
Marius, YO2LOJ
If you are volunteering to verify callsigns, free, just as the ARRL
does, then I will have no problem adding your Certificate Authority to
my configuration. This scheme is very much capable of using multiple
authorities for authentication. The ARRL just happens to be the one
who already has a large, trusted install base and has agreed to let us
use their service in this manner.
I assume that since all you mentioned in your reply was disdain for
ARRL, that is the only piece of this scheme you don't like?
Tom KD7LXL
12:38 p.m.
New subject: Test New Tool - APRS Code Recovery
On Thu, Apr 17, 2014 at 9:30 AM, Tom Hayward <esarfl(a)gmail.com> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Thu, Apr 17, 2014 at 9:22 AM, Marius Petrescu <marius(a)yo2loj.ro> wrote:
One problem that comes to mind is SSL wouldn't be allowed on 44net unless
everyone has the private key and I doubt ARRL will release that.
In his application, I don't see a problem with source address
authentication or pseudo passwords. Honestly, I wouldn't even bother with
authentication. If someone is going to use it for nefarious purposes then
they're already committed to impersonating me and my callsign. After all,
there's nothing physically stopping me from impersonating you on the air...
(Please trim inclusions from previous messages)
_______________________________________________
Time and again there appear suggestions for using that LOTW certificate
for other
things then LOTW.
I don't know if you are aware, but not
everyone is an ARRL member or
uses LOTW.
So, as long as things like APRS have absolutely
nothing to do with ARRL,
please keep them apart.
I assume that since all you mentioned in your reply was disdain for
ARRL, that is the only piece of this scheme you don't like?
1:06 p.m.
New subject: Test New Tool - APRS Code Recovery
On Apr 17, 2014, at 12:38 PM, Don Fanning <don(a)00100100.net> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Thu, Apr 17, 2014 at 9:30 AM, Tom Hayward <esarfl(a)gmail.com> wrote:
Why would you need the private key to the ARRL CA root certs?
73,
-jav k4jh
(Please trim inclusions from previous messages)
_______________________________________________
On Thu, Apr 17, 2014 at 9:22 AM, Marius Petrescu <marius(a)yo2loj.ro> wrote:
One problem that comes to mind is SSL wouldn't be allowed on 44net unless
everyone has the private key and I doubt ARRL will release that. (Please trim inclusions from previous messages)
_______________________________________________
Time and again there appear suggestions for using that LOTW certificate
for other
things then LOTW.
I don't know if you are aware, but not
everyone is an ARRL member or
uses LOTW.
So, as long as things like APRS have absolutely
nothing to do with ARRL,
please keep them apart.
I assume that since all you mentioned in your reply was disdain for
ARRL, that is the only piece of this scheme you don't like?
1:50 p.m.
New subject: Test New Tool - APRS Code Recovery
On Thu, Apr 17, 2014 at 10:06 AM, Javier Henderson (javier) <
javier(a)cisco.com> wrote:
How do I know the packet you are sending me is really a LOTW public
certificate? You could be sending secrets against J. Edgar Hoover!
No, I do know the signature packet itself is just data or a hash of public
data. Problem is that it is - in essence - encrypted data in which you
only share part of it. The just because it could be argued that it skirts
the legality of the law does it mean that it is clear of the meaning of the
law.
One problem
that comes to mind is SSL wouldn't be allowed on 44net unless
everyone has the private key and I doubt ARRL will release that.
Why would you need the private key to the ARRL CA root certs?
2:33 p.m.
New subject: Test New Tool - APRS Code Recovery
On 2014-04-17 10:50, Don Fanning wrote:
How do I know the packet you are sending me is really
a LOTW public
certificate? You could be sending secrets against J. Edgar Hoover!
I assume this works the same as SSL certificates for web sites:
1. You generate your own public/private key pair.
2. You send the *public* key to a certification authority (in my case
StartSSL.com for web certificates)..
3. The certification authority signs it with their *private* key and
sends it back to you as a *public* certificate, which you then
provide to anyone who requests it for your authentication.
4. Another user who wishes to verify your authentication, obtains from
you (eg, via the browser) your *public*, signed certificate.
5. The browser has pre-installed the *public* certificate of several
certification authorities, and of course, you can also install the
public certificate of any other certification authority that you
choose to trust. Eg, CAcert.org signs keys of requestors, but since
it is not approved by the major browsers, users who wish to
authenticate those who have a CAcert-signed certificate, have to
install the CAcert.org public certificate (if they trust it to
properly validate their users).
6. The browser uses the public certificate of the certification
authority to verify that the certificate your web site provided as
part of the handshake, is "valid". In particular, the browser
verifies the host/domain name of the web site with the host/domain
name installed in your public certificate. Your private key is also
used as part of the handshake, to verify that your public
certificate is not being used by another site masquerading as you.
So, with regard to the LOTW certificates: All that is needed to verify
a user is his/her LOTW public certificate, plus the ARRL public
certificate (while you can obtain on your own). A little bit of
handshaking is needed like the browser does, but that's it.
If this does not work, I think we need to tell Bruce Schneier ASAP ...
4:35 p.m.
New subject: Test New Tool - APRS Code Recovery
On Apr 17, 2014, at 1:50 PM, Don Fanning <don(a)00100100.net> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Thu, Apr 17, 2014 at 10:06 AM, Javier Henderson (javier) <
javier(a)cisco.com> wrote:
How do I know the packet you are sending me is really a LOTW public
certificate? You could be sending secrets against J. Edgar Hoover!
You’d validate it the same way you’d validate the amazon.com SSL certificate.
One
problem that comes to mind is SSL wouldn't be allowed on 44net unless
everyone has the private key and I doubt ARRL will release that.
Why would you need the private key to the ARRL CA root certs?
No, I do know the signature packet itself is just data
or a hash of public
data. Problem is that it is - in essence - encrypted data in which you
only share part of it. The just because it could be argued that it skirts
the legality of the law does it mean that it is clear of the meaning of the
law.
I’m not sure I’m following you here...
73,
-jav k4jh
1:47 p.m.
New subject: Test New Tool - APRS Code Recovery
On Thu, 17 Apr 2014, Don Fanning wrote:
One problem that comes to mind is SSL wouldn't be
allowed on 44net unless
everyone has the private key and I doubt ARRL will release that.
Humm, why?
The private keys of the ARRL CA are only needed by ARRL to sign the
certificates they give to the users. And they don't need to give those
away (actually, they must not give those away) - that would allow others
to impersonate ARRL and sign certificates on their behalf.
What everyone needs is their CA's certificate, which is public by
definition. That can then be used to verify certificates of individual
users - to confirm that those individual users have a good amateur radio
certificate given by a CA such as ARRL, and that CA has looked at the
license papers of that individual before giving him a certificate.
By the way, have to mention this again: SSL/TLS can run in a mode where
data is not encrypted (NULL cipher), it's just authenticated. You'll know
it came from me and nobody modified it on the way, but it's not encrypted.
- Hessu
1:54 p.m.
New subject: Test New Tool - APRS Code Recovery
On Thu, Apr 17, 2014 at 10:47 AM, Heikki Hannikainen <hessu(a)hes.iki.fi>wrote;wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Thu, 17 Apr 2014, Don Fanning wrote:
One problem that comes to mind is SSL wouldn't be allowed on 44net unless
So again, explain to me why this should be used on an authentication system
that can be defeated with a pen and paper? If APRS-IS was meant to be
authenticated, then they should have went public-key/certificate based long
ago.
everyone has the private key and I doubt ARRL
will release that.
Humm, why?
The private keys of the ARRL CA are only needed by ARRL to sign the
certificates they give to the users. And they don't need to give those away
(actually, they must not give those away) - that would allow others to
impersonate ARRL and sign certificates on their behalf.
What everyone needs is their CA's certificate, which is public by
definition. That can then be used to verify certificates of individual
users - to confirm that those individual users have a good amateur radio
certificate given by a CA such as ARRL, and that CA has looked at the
license papers of that individual before giving him a certificate.
By the way, have to mention this again: SSL/TLS can run in a mode where
data is not encrypted (NULL cipher), it's just authenticated. You'll know
it came from me and nobody modified it on the way, but it's not encrypted.
- Hessu
3 p.m.
New subject: Test New Tool - APRS Code Recovery
If you are volunteering to verify callsigns, free,
just as the ARRL
does, then I will have no problem adding your Certificate Authority to
my configuration. This scheme is very much capable of using multiple
authorities for authentication. The ARRL just happens to be the one
who already has a large, trusted install base and has agreed to let us
use their service in this manner.
Anybody who can install this:
https://packages.debian.org/search?searchon=contents&keywords=aprspass&…
or something similar.
can generate passcodes for any valid or invalid callsign...
There is no security in the APRS passcode, the passcode is derivated
from the callsign itself by a static algorithm.
The algorithm itself was kept somewhat in the dark, but it is no secret.
APRS passcodes must be considered public knowledge.
73 de Marc
18 Apr
18 Apr
11:29 a.m.
New subject: Test New Tool - APRS Code Recovery
What I dislike is the fact that you try to bind an international network
like APRS to a national authority.
No matter if it is called ARRL or FRR (that's the YO counterpart) or
whatever.
If the APRS netwok needs to have strong authentication, then let the core
network solve this.
Or let every tier2 do it as they whish.
But don't mix apples with oranges.
-----Original Message-----
From: 44net-bounces+marius=yo2loj.ro(a)hamradio.ucsd.edu
[mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of Tom
Hayward
Sent: Thursday, April 17, 2014 19:31
To: AMPRNet working group
Subject: Re: [44net] Test New Tool - APRS Code Recovery
...
I assume that since all you mentioned in your reply was disdain for
ARRL, that is the only piece of this scheme you don't like?
Tom KD7LXL
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
17 Apr
17 Apr
1:05 p.m.
New subject: Test New Tool - APRS Code Recovery
On Apr 17, 2014, at 12:22 PM, Marius Petrescu <marius(a)yo2loj.ro> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Time and again there appear suggestions for using that LOTW certificate for other things
then LOTW.
I don't know if you are aware, but not everyone is an ARRL member or uses LOTW.
So, as long as things like APRS have absolutely nothing to do with ARRL, please keep them
apart.
Marius,
You don’t have to be a member of ARRL to use LOTW. Also, ARRL is just one possible CA,
which already does due diligence before issuing a certificate.
We could use other CAs in addition to ARRL.
73,
-jav k4jh
2:10 p.m.
New subject: Test New Tool - APRS Code Recovery
That's right,
I do have LoTW certificate
NOT being member of ARRL.
Best regards.
Tom - sp2lob
3684
days inactive
3685
days old
12 comments
8 participants
participants (8)
-
Dean Gibson AE7Q -
Don Fanning -
Heikki Hannikainen -
Javier Henderson (javier) -
Marc, LX1DUC -
Marius Petrescu -
sp2lob@tlen -
Tom Hayward