[HamWAN PSDR] Let's talk about identity

Kenny Richards richark at gmail.com
Thu Apr 6 13:15:11 PDT 2017 

It would be great if we could leverage the ARETF for this kind of
discussion. Bryan and I dreamed it up for this kind of situation, but so
far we have been a solution looking for a problem.

Even if we decided to use 'off the shelf' solutions, the configuration
changes for amateur radio being documented is still goodness.

Is the right next step just laying some of this ground work and defining
the scope problems we need to address?

Thanks
Kenny


On Sat, Apr 1, 2017 at 1:59 PM, Cory (NQ1E) <cory at nq1e.hm> wrote:

> This is the first topic we were hoping to tackle if we could get some
> interest behind the ARETF <http://aretf.org/>.  I made a post there a
> couple years ago to try to get the ball rolling, but without the help of
> others I haven't been able to stay focused on this topic due to many
> different things that demand my time.
>
> I'll start by reposting my introduction to terms. ;)
>
>
> ----------------------------------
>
> I'll start by clarifying some terms so we can further discuss these
> matters with the appropriate context.
>
> When people refer to "secure" communication, they're typically implying
> these three distinct features:
>
>    -
>
>    Privacy - Preventing third parties from seeing what is being
>    communicated.
>    -
>
>    Integrity - Assurance that the message received was from the sender
>    and not tampered with in transit
>    -
>
>    Authentication - Assurance that the sender is who you expect them to
>    be and not an impostor
>
> When providing security for a system, you also need to consider:
>
>    -
>
>    Authorization - Determining if the identified sender is allowed to
>    perform the action they are requesting.
>
> In amateur radio, we want to be able to use all of the security features
> above except for privacy.  It's a common misconception in the US that FCC
> part 97 prevents the use of encryption and therefore most security features
> aren't available to us.  However, what part 97 actually prohibits is
> "messages encoded for the purpose of obscuring their meaning."  It's
> important to keep this distinction in mind when developing best practices
> and communicating them to users who may not understand the difference.
>
> We should also try to avoid rat-holing any discussions with debate on
> whether privacy *should* be allowed as that isn't productive for our
> goals.  It's also likely what contributed to past failures on this subject.
>
> Luckily, many technologies already support these features without privacy
> which means we don't need to start from scratch.  Unfortunately, privacy is
> the one thing most people think of when it comes to security.  Therefore,
> our use-cases don't tend to be well documented or understood.  That's what
> I hope we get a chance to fix.
>
> -Cory
> NQ1E
> ----------------------------------
> 2015-05-18
> https://forum.aretf.net/viewtopic.php?pid=10#p10
>
>
> On Sat, Apr 1, 2017 at 1:19 PM, Bart Kus <me at bartk.us> wrote:
>
>>
>>
>> No, not that kind of identity.  Digital identity.  Used to inform
>> networks and computers about who you are.  In my brief research on this,
>> Wikipedia has listed a few systems:
>>
>>    1. SAML
>>    2. OAuth
>>    3. OpenID
>>    4. CAS
>>
>> There are of course other systems, such as X509 certificates, or just
>> plain old trusted keys or fingerprints.  The question is, which of these
>> systems are appropriate for use on Part 97 airwaves?
>>
>> The big P97 restriction we have is no use of secrecy or encryption.
>> Early on we realized this means any system which relies on shared secrets
>> (such as passwords) is not going to work well.  One system that does work
>> really well is public/private key based authentication.  SSH key
>> authentication and TLS client certificate authentication work really well
>> because of this.  However, those systems are not without problems.  Both of
>> them need to have the encryption option turned off, which requires a custom
>> ssh client and server for SSH, and is nearly impossible to do with any
>> modern web browser for TLS.  Other applications that use TLS will also have
>> the same challenge.
>>
>> I'd like to identify some acceptable identity systems for web browsers
>> and web applications.  It would be great if they could also be used for
>> email clients (Thunderbird, Evolution, KMail, etc), and other applications
>> like file shares.
>>
>> I haven't looked into security tokens at all yet, but those may work.
>> That is, to plug a token into USB or tap it via NFC (cell phone case), and
>> have yourself identified.
>>
>> Is anyone aware of which systems may be compatible with Part 97 and work
>> in a user-friendly way?
>>
>> --Bart
>>
>>
>> _______________________________________________
>> PSDR mailing list
>> PSDR at hamwan.org
>> http://mail.hamwan.net/mailman/listinfo/psdr
>>
>>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20170406/69ea2ecc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 300px-Apache_Helicopter_Firing_Rockets_MOD_45154922.jpg
Type: image/jpeg
Size: 13670 bytes
Desc: not available
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20170406/69ea2ecc/attachment-0001.jpg>

More information about the PSDR mailing list