<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">It would be great if we could leverage the ARETF for this kind of discussion. Bryan and I dreamed it up for this kind of situation, but so far we have been a solution looking for a problem.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Even if we decided to use 'off the shelf' solutions, the configuration changes for amateur radio being documented is still goodness.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Is the right next step just laying some of this ground work and defining the scope problems we need to address?</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Thanks</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Kenny</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Apr 1, 2017 at 1:59 PM, Cory (NQ1E) <span dir="ltr"><<a href="mailto:cory@nq1e.hm" target="_blank">cory@nq1e.hm</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">This is the first topic we were hoping to tackle if we could get some interest behind the <a href="http://aretf.org/" target="_blank">ARETF</a>. I made a post there a couple years ago to try to get the ball rolling, but without the help of others I haven't been able to stay focused on this topic due to many different things that demand my time.<div><br></div><div>I'll start by reposting my introduction to terms. ;)</div><div><br></div><div><br></div><div>------------------------------<wbr>----</div><div><p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">I'll start by clarifying some terms so we can further discuss these matters with the appropriate context.</p><p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">When people refer to "secure" communication, they're typically implying these three distinct features:</p><ul style="margin:0px;padding:0.35em 0px 0.35em 2em;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)"><li style="margin:0px;padding:0px;text-align:left"><p style="margin:0px;padding:0px">Privacy - Preventing third parties from seeing what is being communicated.</p></li><li style="margin:0px;padding:0px;text-align:left"><p style="margin:0px;padding:0px">Integrity - Assurance that the message received was from the sender and not tampered with in transit</p></li><li style="margin:0px;padding:0px;text-align:left"><p style="margin:0px;padding:0px">Authentication - Assurance that the sender is who you expect them to be and not an impostor</p></li></ul><p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">When providing security for a system, you also need to consider:</p><ul style="margin:0px;padding:0.35em 0px 0.35em 2em;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)"><li style="margin:0px;padding:0px;text-align:left"><p style="margin:0px;padding:0px">Authorization - Determining if the identified sender is allowed to perform the action they are requesting.</p></li></ul><p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">In amateur radio, we want to be able to use all of the security features above except for privacy. It's a common misconception in the US that FCC part 97 prevents the use of encryption and therefore most security features aren't available to us. However, what part 97 actually prohibits is "messages encoded for the purpose of obscuring their meaning." It's important to keep this distinction in mind when developing best practices and communicating them to users who may not understand the difference.</p><p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">We should also try to avoid rat-holing any discussions with debate on whether privacy *should* be allowed as that isn't productive for our goals. It's also likely what contributed to past failures on this subject.</p><p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">Luckily, many technologies already support these features without privacy which means we don't need to start from scratch. Unfortunately, privacy is the one thing most people think of when it comes to security. Therefore, our use-cases don't tend to be well documented or understood. That's what I hope we get a chance to fix.</p><p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">-Cory<br style="display:inline">NQ1E</p></div><div>------------------------------<wbr>----<br></div><div>2015-05-18<br></div><div><a href="https://forum.aretf.net/viewtopic.php?pid=10#p10" target="_blank">https://forum.aretf.net/<wbr>viewtopic.php?pid=10#p10</a><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Sat, Apr 1, 2017 at 1:19 PM, Bart Kus <span dir="ltr"><<a href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div bgcolor="#FFFFFF" text="#000000">
<img src="cid:part1.C6B72812.132E3D48@bartk.us"><br>
<br>
No, not that kind of identity. Digital identity. Used to inform
networks and computers about who you are. In my brief research on
this, Wikipedia has listed a few systems:<br>
<ol>
<li>SAML</li>
<li>OAuth</li>
<li>OpenID</li>
<li>CAS</li>
</ol>
<p>There are of course other systems, such as X509 certificates, or
just plain old trusted keys or fingerprints. The question is,
which of these systems are appropriate for use on Part 97
airwaves?<br>
</p>
<p>The big P97 restriction we have is no use of secrecy or
encryption. Early on we realized this means any system which
relies on shared secrets (such as passwords) is not going to work
well. One system that does work really well is public/private key
based authentication. SSH key authentication and TLS client
certificate authentication work really well because of this.
However, those systems are not without problems. Both of them
need to have the encryption option turned off, which requires a
custom ssh client and server for SSH, and is nearly impossible to
do with any modern web browser for TLS. Other applications that
use TLS will also have the same challenge.<br>
</p>
<p>I'd like to identify some acceptable identity systems for web
browsers and web applications. It would be great if they could
also be used for email clients (Thunderbird, Evolution, KMail,
etc), and other applications like file shares.<br>
</p>
<p>I haven't looked into security tokens at all yet, but those may
work. That is, to plug a token into USB or tap it via NFC (cell
phone case), and have yourself identified.<br>
</p>
<p>Is anyone aware of which systems may be compatible with Part 97
and work in a user-friendly way?<span class="m_3457861431838574063HOEnZb"><font color="#888888"><br>
</font></span></p><span class="m_3457861431838574063HOEnZb"><font color="#888888">
<p>--Bart<br>
<br>
</p>
</font></span></div>
<br></div></div>______________________________<wbr>_________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer" target="_blank">http://mail.hamwan.net/mailman<wbr>/listinfo/psdr</a><br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer" target="_blank">http://mail.hamwan.net/<wbr>mailman/listinfo/psdr</a><br>
<br></blockquote></div><br></div></div>