<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I suppose we may want to amend HamWAN's official Mission statement
to better reflect the recent work in developing software and
networking standards. The stuff we released so far in this realm
is:<br>
<ul>
<li><a
href="http://hamwan.org/Standards/Network%20Engineering/Authentication/SSH%20Without%20Encryption.html">SSH
Without Encryption</a><a
href="http://hamwan.org/Standards/Network%20Engineering/Authentication/SSL%20without%20Encryption.html"><br>
</a></li>
<li><a
href="http://hamwan.org/Standards/Network%20Engineering/Authentication/SSL%20without%20Encryption.html">SSL
Without Encryption</a><br>
</li>
<li><a href="http://hamwan.org/Labs/Open%20Peering%20Policy.html">Open
Peering Policy</a></li>
<li><a
href="http://hamwan.org/Standards/Network%20Engineering/High%20Availability.html">High
Availability</a></li>
<li><a
href="http://hamwan.org/Standards/Network%20Engineering/Cell%20Site%20Configuration/Servers.html">Some
other Server suggestions</a></li>
<li><a
href="http://hamwan.org/Standards/Network%20Engineering/Point%20to%20Multipoint%20Authentication.html">Point
to Multipoint Authentication</a></li>
<li><a
href="http://hamwan.org/Standards/Network%20Engineering/Quality%20of%20Service.html">Quality
of Service</a><br>
</li>
</ul>
Some of these are better than others. Many of these need more
work. Specifically, only the SSH solution is "finished", I think.
The unpublished work going on right now is focused on automation and
robustness of network services. I got some good engagement in the
previous thread I sent out on distributed filesystem implementations
(most of it in private email), and that left me with a few options
to verify in the lab and on the HamWAN network. This identity
thread doesn't quite have the same expert engagement though, so the
quest continues.<br>
<br>
At the inevitable risk of offense, I don't see what ARETF offers to
be leveraged. Having surfed the site, forum and github repo, it's
pretty much empty. What this work requires is active, dedicated
engineers who have a deep understanding of how things work in this
space. Show me where THOSE people are, and I'll happily join the
group.<br>
<br>
Why can't ARETF's mission be executed within HamWAN? We have a
small but growing set of engineers who are well versed in the
digital world. We also have the added benefit of real-world use
cases, so you don't fall into the pit of designing-for-everybody on
your first iteration.<br>
<br>
Having said all that, I don't think the entirety of what's needed to
service emcomm (and likely even ham) users can be implemented in
HamWAN's current organizational model. Motivating said skilled
engineers to execute consistently and on-time (or even at all) has
been one major impediment to success. Lately I've been studying the
viability of remunerating engineering work in this problem space.
The most surprising finding to date is that some folks have a
philosophical opposition to getting paid for their work product in
this problem space. Feel free to contact me privately (goes for
anyone) if you're interested in this latest viability study of mine.<br>
<br>
--Bart<br>
<br>
<div class="moz-cite-prefix">On 4/6/2017 1:15 PM, Kenny Richards
wrote:<br>
</div>
<blockquote
cite="mid:CAHEUKb+=aKea5SBAhGXnOhzMzC3qcNX_2CGPpuj5_008CNHmrw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small">It
would be great if we could leverage the ARETF for this kind of
discussion. Bryan and I dreamed it up for this kind of
situation, but so far we have been a solution looking for a
problem.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small">Even
if we decided to use 'off the shelf' solutions, the
configuration changes for amateur radio being documented is
still goodness.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small">Is
the right next step just laying some of this ground work and
defining the scope problems we need to address?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small">Thanks</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small">Kenny</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, Apr 1, 2017 at 1:59 PM, Cory
(NQ1E) <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:cory@nq1e.hm" target="_blank">cory@nq1e.hm</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">This is the first topic we were hoping to
tackle if we could get some interest behind the <a
moz-do-not-send="true" href="http://aretf.org/"
target="_blank">ARETF</a>. I made a post there a
couple years ago to try to get the ball rolling, but
without the help of others I haven't been able to stay
focused on this topic due to many different things that
demand my time.
<div><br>
</div>
<div>I'll start by reposting my introduction to terms.
;)</div>
<div><br>
</div>
<div><br>
</div>
<div>------------------------------<wbr>----</div>
<div>
<p style="margin:0px;padding:0.35em
0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">I'll
start by clarifying some terms so we can further
discuss these matters with the appropriate context.</p>
<p style="margin:0px;padding:0.35em
0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">When
people refer to "secure" communication, they're
typically implying these three distinct features:</p>
<ul style="margin:0px;padding:0.35em 0px 0.35em
2em;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">
<li style="margin:0px;padding:0px;text-align:left">
<p style="margin:0px;padding:0px">Privacy -
Preventing third parties from seeing what is
being communicated.</p>
</li>
<li style="margin:0px;padding:0px;text-align:left">
<p style="margin:0px;padding:0px">Integrity -
Assurance that the message received was from the
sender and not tampered with in transit</p>
</li>
<li style="margin:0px;padding:0px;text-align:left">
<p style="margin:0px;padding:0px">Authentication -
Assurance that the sender is who you expect them
to be and not an impostor</p>
</li>
</ul>
<p style="margin:0px;padding:0.35em
0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">When
providing security for a system, you also need to
consider:</p>
<ul style="margin:0px;padding:0.35em 0px 0.35em
2em;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">
<li style="margin:0px;padding:0px;text-align:left">
<p style="margin:0px;padding:0px">Authorization -
Determining if the identified sender is allowed
to perform the action they are requesting.</p>
</li>
</ul>
<p style="margin:0px;padding:0.35em
0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">In
amateur radio, we want to be able to use all of the
security features above except for privacy. It's a
common misconception in the US that FCC part 97
prevents the use of encryption and therefore most
security features aren't available to us. However,
what part 97 actually prohibits is "messages encoded
for the purpose of obscuring their meaning." It's
important to keep this distinction in mind when
developing best practices and communicating them to
users who may not understand the difference.</p>
<p style="margin:0px;padding:0.35em
0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">We
should also try to avoid rat-holing any discussions
with debate on whether privacy *should* be allowed
as that isn't productive for our goals. It's also
likely what contributed to past failures on this
subject.</p>
<p style="margin:0px;padding:0.35em
0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">Luckily,
many technologies already support these features
without privacy which means we don't need to start
from scratch. Unfortunately, privacy is the one
thing most people think of when it comes to
security. Therefore, our use-cases don't tend to be
well documented or understood. That's what I hope
we get a chance to fix.</p>
<p style="margin:0px;padding:0.35em
0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">-Cory<br
style="display:inline">
NQ1E</p>
</div>
<div>------------------------------<wbr>----<br>
</div>
<div>2015-05-18<br>
</div>
<div><a moz-do-not-send="true"
href="https://forum.aretf.net/viewtopic.php?pid=10#p10"
target="_blank">https://forum.aretf.net/<wbr>viewtopic.php?pid=10#p10</a><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div class="h5">On Sat, Apr 1, 2017 at 1:19 PM, Bart
Kus <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span>
wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div class="h5">
<div bgcolor="#FFFFFF" text="#000000"> <img
src="cid:part13.62A9824D.0A0A181B@bartk.us"><br>
<br>
No, not that kind of identity. Digital
identity. Used to inform networks and
computers about who you are. In my brief
research on this, Wikipedia has listed a few
systems:<br>
<ol>
<li>SAML</li>
<li>OAuth</li>
<li>OpenID</li>
<li>CAS</li>
</ol>
<p>There are of course other systems, such as
X509 certificates, or just plain old trusted
keys or fingerprints. The question is,
which of these systems are appropriate for
use on Part 97 airwaves?<br>
</p>
<p>The big P97 restriction we have is no use
of secrecy or encryption. Early on we
realized this means any system which relies
on shared secrets (such as passwords) is not
going to work well. One system that does
work really well is public/private key based
authentication. SSH key authentication and
TLS client certificate authentication work
really well because of this. However, those
systems are not without problems. Both of
them need to have the encryption option
turned off, which requires a custom ssh
client and server for SSH, and is nearly
impossible to do with any modern web browser
for TLS. Other applications that use TLS
will also have the same challenge.<br>
</p>
<p>I'd like to identify some acceptable
identity systems for web browsers and web
applications. It would be great if they
could also be used for email clients
(Thunderbird, Evolution, KMail, etc), and
other applications like file shares.<br>
</p>
<p>I haven't looked into security tokens at
all yet, but those may work. That is, to
plug a token into USB or tap it via NFC
(cell phone case), and have yourself
identified.<br>
</p>
<p>Is anyone aware of which systems may be
compatible with Part 97 and work in a
user-friendly way?<span
class="m_3457861431838574063HOEnZb"><font
color="#888888"><br>
</font></span></p>
<span class="m_3457861431838574063HOEnZb"><font
color="#888888">
<p>--Bart<br>
<br>
</p>
</font></span></div>
<br>
</div>
</div>
______________________________<wbr>_________________<br>
PSDR mailing list<br>
<a moz-do-not-send="true"
href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
<a moz-do-not-send="true"
href="http://mail.hamwan.net/mailman/listinfo/psdr"
rel="noreferrer" target="_blank">http://mail.hamwan.net/mailman<wbr>/listinfo/psdr</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
PSDR mailing list<br>
<a moz-do-not-send="true" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a><br>
<a moz-do-not-send="true"
href="http://mail.hamwan.net/mailman/listinfo/psdr"
rel="noreferrer" target="_blank">http://mail.hamwan.net/<wbr>mailman/listinfo/psdr</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
PSDR mailing list
<a class="moz-txt-link-abbreviated" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a>
<a class="moz-txt-link-freetext" href="http://mail.hamwan.net/mailman/listinfo/psdr">http://mail.hamwan.net/mailman/listinfo/psdr</a>
</pre>
</blockquote>
<br>
</body>
</html>