/A good project on AMPRNet would be to setup a user authentication /> >/system that can be /> >/used for our services without running the risk that some (ab)used /> >/party suddenly /> >/draws back the support, or delays validation of new applicants (if /> >/only due to lack /> >/of volunteers to do the validation). /> Now, this is a great idea. Could also be used for IPv6 netblock
validation.
Yes, although a more dynamic method like BGP appears to be more suitable for that.
Such an authentication system should offer a method to authenticate users that want to log on to some service and it should have some attributes for each user that can be used in queries for authentication. Things that come to mind:
- does the user have a (verified) amateur radio license - category of the license (preferably with allowed band ranges) - client certificate(s) - password(s)
Probably more can be added. The problem of course is the manual work required for license validation. We could devise some method to use earlier validations by Echolink and LOTW, but when we want to do our own validation we require the volunteers that look at scanned license documents and accept/reject them.
An issue is the storage of so much personal information in a database, which requires compliance to rules for personal data protection that are (or are becoming) quite strict in many countries.
When we would have such a system on AMPRNet (preferably also usable from internet) it could be used for many purposes where we are now limited in practice. E.g. to set up a next-generation Echolink-like system that is open/free.
Rob
I am interested in putting some effort into such a project, it would be of benefit not only to the AMPRNet Portal, but has wider benefits to other areas of Amateur Radio I'm involved in. I was looking a while back at how to validate a user for the Portal with the ultimate goal of issuing certificates similar to LOTW.
It's not directly relevant to this mailing list, so if anyone is interested in discussing this further, please email me direct.
Thanks Chris
On 15 Sep 2017, at 13:20, Rob Janssen pe1chl@amsat.org wrote:
/A good project on AMPRNet would be to setup a user authentication /> >/system that can be /> >/used for our services without running the risk that some (ab)used /> >/party suddenly /> >/draws back the support, or delays validation of new applicants (if /> >/only due to lack /> >/of volunteers to do the validation). /> Now, this is a great idea. Could also be used for IPv6 netblock
validation.
Yes, although a more dynamic method like BGP appears to be more suitable for that.
Such an authentication system should offer a method to authenticate users that want to log on to some service and it should have some attributes for each user that can be used in queries for authentication. Things that come to mind:
- does the user have a (verified) amateur radio license
- category of the license (preferably with allowed band ranges)
- client certificate(s)
- password(s)
Probably more can be added. The problem of course is the manual work required for license validation. We could devise some method to use earlier validations by Echolink and LOTW, but when we want to do our own validation we require the volunteers that look at scanned license documents and accept/reject them.
An issue is the storage of so much personal information in a database, which requires compliance to rules for personal data protection that are (or are becoming) quite strict in many countries.
When we would have such a system on AMPRNet (preferably also usable from internet) it could be used for many purposes where we are now limited in practice. E.g. to set up a next-generation Echolink-like system that is open/free.
Rob
On 15.09.2017 17:51, Chris via 44Net wrote:
I am interested in putting some effort into such a project, it would be of benefit not only to the AMPRNet Portal, but has wider benefits to other areas of Amateur Radio I'm involved in. I was looking a while back at how to validate a user for the Portal with the ultimate goal of issuing certificates similar to LOTW.
I guess that would be far to much work for small population it would target.
If you want certification use LOTW. It is meant just for that purpose and they already did all the job. LOTW certification is not complicated because they made it so. It is just if you use certificates, it gets complicated. And LOTW managed to make it as simple as possible.
On 16 Sep 2017, at 03:02, Pedja YT9TP yt9tp@uzice.net wrote:
On 15.09.2017 17:51, Chris via 44Net wrote:
I am interested in putting some effort into such a project, it would be of benefit not only to the AMPRNet Portal, but has wider benefits to other areas of Amateur Radio I'm involved in. I was looking a while back at how to validate a user for the Portal with the ultimate goal of issuing certificates similar to LOTW.
I guess that would be far to much work for small population it would target.
It has other uses in other areas of Amateur Radio, but yes, when I looked into the possibilities previously it would take some effort, which is why I wouldn’t take it on on my own.
If you want certification use LOTW. It is meant just for that purpose and they already did all the job. LOTW certification is not complicated because they made it so. It is just if you use certificates, it gets complicated. And LOTW managed to make it as simple as possible.
It may be possible to link to LOTW if they were willing, but setting up our own CA and issuing certificates is not difficult and doesn’t need to be complicated.
It’s the validation bit that’s difficult, for most countries you can’t automate the process, it would need a human being to validate the request. My thoughts were along the lines of establishing and building a web of trust to delegate the work. It’s not just coding effort, it’s social engineering as well.
Chris
On 16/09/2017 5:50 PM, G1FEF via 44Net wrote:
It may be possible to link to LOTW if they were willing, but setting up our own CA and issuing certificates is not difficult and doesn’t need to be complicated.
Yep, done it for the likes of OpenVPN networks, where I was the sole CA for all links. That meant I could personally validate every connection as being authorised to access our network. The issuing of certificates is a dead simple process.
It’s the validation bit that’s difficult, for most countries you can’t automate the process, it would need a human being to validate the request. My thoughts were along the lines of establishing and building a web of trust to delegate the work. It’s not just coding effort, it’s social engineering as well.
Yep, it's deciding how much trust you need, then ensuring you have a web that provides the level of trust appropriate. And each country is different. Australia no longer issues paper licenses by default, would a PDF downloaded off the Internet be acceptable? These are the questions that must be resolved by the validating CA. I do like the way the US hams are validated by LoTW (by mail to the registered contact address), I think that would work here too now. But you've hit the nail on the head, it's the human/social stuff that is very hard when it comes to setting up validation. The technology is simple. :)
I think LDAP would be a good fit for most if not all of the use cases mentioned recently, and would greatly simplify the design. As for initial user validation, I was going to suggest something like a WoT too. It would be easy enough to integrate both PKI (LOTW and any other CAs deemed trustworthy) as well as a PGP web of trust, with mandated minimum trust levels set by the community. I think that the development of this sort of system needs to be open and transparent to the ham community, not just a small closed group. Without transparency, I wouldn't be too keen to point any of my systems at it for authorization.
I'd be interested in being involved in the development if it was to happen - even though it sounds far too much like my 9-5 job :(
Josh
On 16/09/2017 5:50 PM, G1FEF via 44Net wrote:
It’s the validation bit that’s difficult, for most countries you can’t automate the process, it would need a human being to validate the request. My thoughts were along the lines of establishing and building a web of trust to delegate the work. It’s not just coding effort, it’s social engineering as well.
On 16 Sep 2017, at 10:57, Josh josh@festy.org wrote:
I think that the development of this sort of system needs to be open and transparent to the ham community, not just a small closed group.
Totally agree.
Chris
On 9/16/17 8:25 AM, G1FEF via 44Net wrote:
On 16 Sep 2017, at 10:57, Josh josh@festy.org wrote:
I think that the development of this sort of system needs to be open and transparent to the ham community, not just a small closed group.
Totally agree.
Chris
How ironic.
-- Bryan Fields
727-409-1194 - Voice http://bryanfields.net
On 16.09.2017 14:25, G1FEF via 44Net wrote:
On 16 Sep 2017, at 10:57, Josh josh@festy.org wrote:
I think that the development of this sort of system needs to be open and transparent to the ham community, not just a small closed group.
Totally agree.
It also should be backed up and supported by large amateur radio organizations starting with IARU.
I like the concept of setting up an OpenID system. I also believe this is a role that the larger AMPR group could do for the global amateur radio community and give the group a larger purpose. Stepping into the details a bit, I believe that OpenID requires an active network connection to function. I don't think that will work in supporting isolated networks, slow networks, or partially broken networks. Compare that to say an X.509 certificate system (like what LOTW uses) which can support offline validation. If we were to approach this project, I think we'd need:
- Identify the use cases we want to solve : access to networks, access to hosts/applications (BBSes, maybe Echolink, Dstar, whatever) that are online, occasionally offline, completely offline. Are any of these networks using amateur radio frequencies that cannot support encryption. How do we solve that situation? Can it we exceptions to the various governing bodies to allow it (ITU, FCC, etc)? Are there any options here to provide strong and secure authentication over amateur RF networks or must we only use the Internet?
- Identify a working community of people who are interested either in working on the technical aspects or the validation aspects of the solution. I do agree we should try to get the larger amateur radio bodies involved (IARU, RSGB, ARRL, etc - https://en.wikipedia.org/wiki/List_of_amateur_radio_organizations ). That will take a LOT of time but I don't think it will block any specific progress.
- Identify the workflows for each of those use cases - would be best to delegate different use cases to those people who both need them and have a passion to get them solved.
- Determine how to securely create a mesh of authentication nodes worldwide
- Create some policies around these nodes on creation, maintenance, security, auditing policies, etc.
I imagine some people might think there is a lot of bureaucratic steps in there and I agree. The reality is that we need to find a common point where everyone can both agree and maybe leverage existing systems (LOTW, etc) if deemed acceptable. HAM radio seems to naturally gather into little fiefdoms which would dilute and/or break the utility of a global authentication system like this. This team will have to constantly work to keep it cohesive and functional.
--David KI6ZHD
I believe that OpenID requires an active network connection to function.
[...] Compare that to [...] LOTW [...] which can support offline validation.
Identify a working community of people who are interested either in
working on the technical aspects or the validation aspects of the solution.
The ideas I had spelled out in one of the other threads can essentially be broken down like this:
1. Create a shared online authentication service for convenience of the many Internet connected amateur related systems out there, including validation using LotW and potentially other means.
2. Simplify and document the service in a way that would allow it to be easily recreated in a standard way by isolated networks or those who must only trust their own validations.
We tried broaching this subject on the new ARETF message boards a couple years ago, but they haven't had any traffic other than spambots since then. :(
As mentioned in the other thread here last week, I'm thrilled to have finally found others who are also interested in this topic, so I had started a new public mailing list devoted to it. I encourage you and others to join us there so we can return the AMPRNet mailing list to being an ICMP traffic alerting service. hihi ;)
Join here: https://groups.io/g/hamauth
-or- join by sending an email to: hamauth+subscribe@groups.io
Cory, NQ1E Seattle
Chris;
If you need a liason for LoTW...
W1ZFG is a good friend of mine who I assist when he gets stuck. He's our local repeater club's secretary AND works for ARRL in LoTW. I'll be speaking with him tonight on the local VHF nets.
If you need a human to bridge this project to LoTW, let me know. In the interim look at: http://www.arrl.org/developer
On Sat, 2017-09-16 at 08:50 +0100, G1FEF via 44Net wrote:
On 16 Sep 2017, at 03:02, Pedja YT9TP yt9tp@uzice.net wrote:
On 15.09.2017 17:51, Chris via 44Net wrote:
I am interested in putting some effort into such a project, it would be of benefit not only to the AMPRNet Portal, but has wider benefits to other areas of Amateur Radio I'm involved in. I was looking a while back at how to validate a user for the Portal with the ultimate goal of issuing certificates similar to LOTW.
I guess that would be far to much work for small population it would target.
It has other uses in other areas of Amateur Radio, but yes, when I looked into the possibilities previously it would take some effort, which is why I wouldn’t take it on on my own.
If you want certification use LOTW. It is meant just for that purpose and they already did all the job. LOTW certification is not complicated because they made it so. It is just if you use certificates, it gets complicated. And LOTW managed to make it as simple as possible.
It may be possible to link to LOTW if they were willing, but setting up our own CA and issuing certificates is not difficult and doesn’t need to be complicated.
It’s the validation bit that’s difficult, for most countries you can’t automate the process, it would need a human being to validate the request. My thoughts were along the lines of establishing and building a web of trust to delegate the work. It’s not just coding effort, it’s social engineering as well.
Chris
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Thanks Brian, that’s good to know.
On 16 Sep 2017, at 13:05, Brian n1uro@n1uro.ampr.org wrote:
Chris;
If you need a liason for LoTW...
W1ZFG is a good friend of mine who I assist when he gets stuck. He's our local repeater club's secretary AND works for ARRL in LoTW. I'll be speaking with him tonight on the local VHF nets.
If you need a human to bridge this project to LoTW, let me know. In the interim look at: http://www.arrl.org/developer
On Sat, 2017-09-16 at 08:50 +0100, G1FEF via 44Net wrote:
On 16 Sep 2017, at 03:02, Pedja YT9TP yt9tp@uzice.net wrote:
On 15.09.2017 17:51, Chris via 44Net wrote:
I am interested in putting some effort into such a project, it would be of benefit not only to the AMPRNet Portal, but has wider benefits to other areas of Amateur Radio I'm involved in. I was looking a while back at how to validate a user for the Portal with the ultimate goal of issuing certificates similar to LOTW.
I guess that would be far to much work for small population it would target.
It has other uses in other areas of Amateur Radio, but yes, when I looked into the possibilities previously it would take some effort, which is why I wouldn’t take it on on my own.
If you want certification use LOTW. It is meant just for that purpose and they already did all the job. LOTW certification is not complicated because they made it so. It is just if you use certificates, it gets complicated. And LOTW managed to make it as simple as possible.
It may be possible to link to LOTW if they were willing, but setting up our own CA and issuing certificates is not difficult and doesn’t need to be complicated.
It’s the validation bit that’s difficult, for most countries you can’t automate the process, it would need a human being to validate the request. My thoughts were along the lines of establishing and building a web of trust to delegate the work. It’s not just coding effort, it’s social engineering as well.
Chris
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-- I used to be a heavy gambler. But now I just make mental bets. That's how I lost my mind.
73 de Brian - N1URO/AFT1BR, President - EastNet Packet Network https://www.eastnetpacket.org email: (see above) Web: http://www.n1uro.net/ Ampr1: http://n1uro.ampr.org/ (ipv4 AND ipv6) Ampr2: http://nos.n1uro.ampr.org Linux Amateur Radio Services axMail-Fax & URONode http://uronode.sourceforge.net http://axmail.sourceforge.net AmprNet coordinator for: Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, Pennsylvania, Rhode Island, and Vermont.
On 16.09.2017 09:50, G1FEF via 44Net wrote:
It’s the validation bit that’s difficult, for most countries you can’t automate the process, it would need a human being to validate the request. My thoughts were along the lines of establishing and building a web of trust to delegate the work. It’s not just coding effort, it’s social engineering as well.
That was my point. Technical part is not problem, but administration. I am quite certain that it will never be possible to get worldwide call-sign validation working beyond manual documents inspection.
I do agree that having one global validation service that offers API's for various purposes and platforms would be great, even if that means that manual paperwork is involved.
On 17/09/2017 8:14 PM, Pedja YT9TP wrote:
That was my point. Technical part is not problem, but administration. I am quite certain that it will never be possible to get worldwide call-sign validation working beyond manual documents inspection.
I do agree that having one global validation service that offers API's for various purposes and platforms would be great, even if that means that manual paperwork is involved.
Perhaps a federated web of trust is the way to go? Each country or region looks after its own users, and then trust is shared with other entities.
On 16/09/2017 12:02 PM, Pedja YT9TP wrote:
If you want certification use LOTW. It is meant just for that purpose and they already did all the job. LOTW certification is not complicated because they made it so. It is just if you use certificates, it gets complicated. And LOTW managed to make it as simple as possible.
Some slight issues for me: (from the LoTW website)
If your primary callsign was not issued in the United States, you have two options: A. Mail a copy of your Amateur Radio operating authorization and a copy of one other official document that shows your name (for example, a driver's license) to the ARRL. When the ARRL receives your documentation, it will send you an email message containing your LoTW Account Password, with your Callsign Certificate attached. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ in Australia, they don't normally issue paper licenses anymore. And the electronic one can be accessed by anyone online. It's been 2 years since I've had a paper licence (but mine are valid). B. Present your documents in person to an in-country ARRL DXCC Card Checker, The Card Checker will inspect your documents and, if accepted, inform ARRL’s LoTW staff that that the applicant’s identity and license have been verified. The ARRL will then send you an email message containing your LoTW Account Password, with your Callsign Certificate attached.
Not every DXCC entity has DXCC Card Checkers, and Card Checkers are not required to participate in this verification process. Thus you should contact an in-country Card Checker in advance to ask if they are willing to check your identity and license documents. A list of DXCC Card Checkers is here.
Le 16/09/2017 à 04:02, Pedja YT9TP a écrit :
LOTW certification is not complicated
LoTW, for some OM, it is complicated... Echolink, no verification if the person is deceased or no more amateur...
Amateur radio registered of 44.151 are all alive.
;)
Anyway aperson who wants to hack Network 44 will be able to. Even the password of the script is recoverable by any linuxien by a simple Linux command ...
One thing certain is that if there is evolution to a forum, I would not follow this very closely. Proverb: why change a winning team.
Best regards, Ludovic - F5PBG (Coord 44.151)
On 16/09/2017 7:38 PM, f5pbg@free.fr wrote:
LoTW, for some OM, it is complicated...
Looks a little simpler than I recall, I know there was a reason I never got around to doing it. Now, the biggest complication is actually getting a paper licence!
Echolink, no verification if the person is deceased or no more amateur...
Not necessarily reliable.
Amateur radio registered of 44.151 are all alive.
;)
Anyway aperson who wants to hack Network 44 will be able to. Even the password of the script is recoverable by any linuxien by a simple Linux command ...
One thing certain is that if there is evolution to a forum, I would not follow this very closely. Proverb: why change a winning team.
Or as we say here "If it ain't broke, don't fix it" ;)
On 16/09/2017 1:51 AM, Chris via 44Net wrote:
I am interested in putting some effort into such a project, it would be of benefit not only to the AMPRNet Portal, but has wider benefits to other areas of Amateur Radio I'm involved in. I was looking a while back at how to validate a user for the Portal with the ultimate goal of issuing certificates similar to LOTW.
It's not directly relevant to this mailing list, so if anyone is interested in discussing this further, please email me direct.
I'm interested to play, both to try the concept, as well as see if I can integrate it with my other systems. I have Linux boxes to run INN on, mostly R-Pi, but not all, there's a couple of small x86 machines here, as well as a VPS that I've been subscribed to for years, that runs a lot of ham radio services. I would have to give it a 44/8 address from my netblock (point to point over a tunnel perhaps), might be an opportunity to try an IPv4 VPN over an IPv6 network. :)
On 16/09/2017 1:51 AM, Chris via 44Net wrote:
I am interested in putting some effort into such a project, it would be of benefit not only to the AMPRNet Portal, but has wider benefits to other areas of Amateur Radio I'm involved in. I was looking a while back at how to validate a user for the Portal with the ultimate goal of issuing certificates similar to LOTW.
It's not directly relevant to this mailing list, so if anyone is interested in discussing this further, please email me direct.
Private email sent. :)
-
Brian -
Bryan Fields -
Chris -
Cory (NQ1E) -
David Ranch -
f5pbg@free.fr -
G1FEF
-
Josh -
Pedja YT9TP -
Rob Janssen -
Tony Langdon