<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">(Just discovered this stuck in my drafts folder)</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Bart,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">The reason we tried to start the ARETF was to have a place to work out and store ham radio standards, that was independent of any particular group. I completely agree that HamWAN could 'host/manage' this effort, but what about other areas in ham radio that may have needs for some of the work? Would HamWAN be willing to take input if there was APRS or PACTOR needs? I am pretty sure HamWAN wouldn't be interesting in hosting any other efforts. </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">I agree there isn't much benefit right now to the ARETF, it needed something to kick off the process and build out how to 'standardized' a ham radio related thing. I failed at finding that first thing, but maybe this would be it? <br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Thanks</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Kenny</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 6, 2017 at 3:24 PM, Bart Kus <span dir="ltr"><<a href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    I suppose we may want to amend HamWAN's official Mission statement
    to better reflect the recent work in developing software and
    networking standards.  The stuff we released so far in this realm
    is:<br>
    <ul>
      <li><a href="http://hamwan.org/Standards/Network%20Engineering/Authentication/SSH%20Without%20Encryption.html" target="_blank">SSH
          Without Encryption</a><a href="http://hamwan.org/Standards/Network%20Engineering/Authentication/SSL%20without%20Encryption.html" target="_blank"><br>
        </a></li>
      <li><a href="http://hamwan.org/Standards/Network%20Engineering/Authentication/SSL%20without%20Encryption.html" target="_blank">SSL
          Without Encryption</a><br>
      </li>
      <li><a href="http://hamwan.org/Labs/Open%20Peering%20Policy.html" target="_blank">Open
          Peering Policy</a></li>
      <li><a href="http://hamwan.org/Standards/Network%20Engineering/High%20Availability.html" target="_blank">High
          Availability</a></li>
      <li><a href="http://hamwan.org/Standards/Network%20Engineering/Cell%20Site%20Configuration/Servers.html" target="_blank">Some
          other Server suggestions</a></li>
      <li><a href="http://hamwan.org/Standards/Network%20Engineering/Point%20to%20Multipoint%20Authentication.html" target="_blank">Point
          to Multipoint Authentication</a></li>
      <li><a href="http://hamwan.org/Standards/Network%20Engineering/Quality%20of%20Service.html" target="_blank">Quality
          of Service</a><br>
      </li>
    </ul>
    Some of these are better than others.  Many of these need more
    work.  Specifically, only the SSH solution is "finished", I think. 
    The unpublished work going on right now is focused on automation and
    robustness of network services.  I got some good engagement in the
    previous thread I sent out on distributed filesystem implementations
    (most of it in private email), and that left me with a few options
    to verify in the lab and on the HamWAN network.  This identity
    thread doesn't quite have the same expert engagement though, so the
    quest continues.<br>
    <br>
    At the inevitable risk of offense, I don't see what ARETF offers to
    be leveraged.  Having surfed the site, forum and github repo, it's
    pretty much empty.  What this work requires is active, dedicated
    engineers who have a deep understanding of how things work in this
    space.  Show me where THOSE people are, and I'll happily join the
    group.<br>
    <br>
    Why can't ARETF's mission be executed within HamWAN?  We have a
    small but growing set of engineers who are well versed in the
    digital world.  We also have the added benefit of real-world use
    cases, so you don't fall into the pit of designing-for-everybody on
    your first iteration.<br>
    <br>
    Having said all that, I don't think the entirety of what's needed to
    service emcomm (and likely even ham) users can be implemented in
    HamWAN's current organizational model.  Motivating said skilled
    engineers to execute consistently and on-time (or even at all) has
    been one major impediment to success.  Lately I've been studying the
    viability of remunerating engineering work in this problem space. 
    The most surprising finding to date is that some folks have a
    philosophical opposition to getting paid for their work product in
    this problem space.  Feel free to contact me privately (goes for
    anyone) if you're interested in this latest viability study of mine.<span class="HOEnZb"><font color="#888888"><br>
    <br>
    --Bart</font></span><div><div class="h5"><br>
    <br>
    <div class="m_-5655051895472301058moz-cite-prefix">On 4/6/2017 1:15 PM, Kenny Richards
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">It
          would be great if we could leverage the ARETF for this kind of
          discussion. Bryan and I dreamed it up for this kind of
          situation, but so far we have been a solution looking for a
          problem.</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Even
          if we decided to use 'off the shelf' solutions, the
          configuration changes for amateur radio being documented is
          still goodness.</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Is
          the right next step just laying some of this ground work and
          defining the scope problems we need to address?</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Thanks</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Kenny</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Sat, Apr 1, 2017 at 1:59 PM, Cory
            (NQ1E) <span dir="ltr"><<a href="mailto:cory@nq1e.hm" target="_blank">cory@nq1e.hm</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="ltr">This is the first topic we were hoping to
                tackle if we could get some interest behind the <a href="http://aretf.org/" target="_blank">ARETF</a>.  I made a post there a
                couple years ago to try to get the ball rolling, but
                without the help of others I haven't been able to stay
                focused on this topic due to many different things that
                demand my time.
                <div><br>
                </div>
                <div>I'll start by reposting my introduction to terms.
                  ;)</div>
                <div><br>
                </div>
                <div><br>
                </div>
                <div>------------------------------<wbr>----</div>
                <div>
                  <p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">I'll
                    start by clarifying some terms so we can further
                    discuss these matters with the appropriate context.</p>
                  <p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">When
                    people refer to "secure" communication, they're
                    typically implying these three distinct features:</p>
                  <ul style="margin:0px;padding:0.35em 0px 0.35em 2em;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">
                    <li style="margin:0px;padding:0px;text-align:left">
                      <p style="margin:0px;padding:0px">Privacy -
                        Preventing third parties from seeing what is
                        being communicated.</p>
                    </li>
                    <li style="margin:0px;padding:0px;text-align:left">
                      <p style="margin:0px;padding:0px">Integrity -
                        Assurance that the message received was from the
                        sender and not tampered with in transit</p>
                    </li>
                    <li style="margin:0px;padding:0px;text-align:left">
                      <p style="margin:0px;padding:0px">Authentication -
                        Assurance that the sender is who you expect them
                        to be and not an impostor</p>
                    </li>
                  </ul>
                  <p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">When
                    providing security for a system, you also need to
                    consider:</p>
                  <ul style="margin:0px;padding:0.35em 0px 0.35em 2em;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">
                    <li style="margin:0px;padding:0px;text-align:left">
                      <p style="margin:0px;padding:0px">Authorization -
                        Determining if the identified sender is allowed
                        to perform the action they are requesting.</p>
                    </li>
                  </ul>
                  <p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">In
                    amateur radio, we want to be able to use all of the
                    security features above except for privacy.  It's a
                    common misconception in the US that FCC part 97
                    prevents the use of encryption and therefore most
                    security features aren't available to us.  However,
                    what part 97 actually prohibits is "messages encoded
                    for the purpose of obscuring their meaning."  It's
                    important to keep this distinction in mind when
                    developing best practices and communicating them to
                    users who may not understand the difference.</p>
                  <p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">We
                    should also try to avoid rat-holing any discussions
                    with debate on whether privacy *should* be allowed
                    as that isn't productive for our goals.  It's also
                    likely what contributed to past failures on this
                    subject.</p>
                  <p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">Luckily,
                    many technologies already support these features
                    without privacy which means we don't need to start
                    from scratch.  Unfortunately, privacy is the one
                    thing most people think of when it comes to
                    security.  Therefore, our use-cases don't tend to be
                    well documented or understood.  That's what I hope
                    we get a chance to fix.</p>
                  <p style="margin:0px;padding:0.35em 0px;font-family:verdana,helvetica,arial,sans-serif;font-size:12px;background-color:rgb(250,250,250)">-Cory<br style="display:inline">
                    NQ1E</p>
                </div>
                <div>------------------------------<wbr>----<br>
                </div>
                <div>2015-05-18<br>
                </div>
                <div><a href="https://forum.aretf.net/viewtopic.php?pid=10#p10" target="_blank">https://forum.aretf.net/viewto<wbr>pic.php?pid=10#p10</a><br>
                </div>
                <div><br>
                </div>
              </div>
              <div class="gmail_extra"><br>
                <div class="gmail_quote">
                  <div>
                    <div class="m_-5655051895472301058h5">On Sat, Apr 1, 2017 at 1:19 PM, Bart
                      Kus <span dir="ltr"><<a href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span>
                      wrote:<br>
                    </div>
                  </div>
                  <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    <div>
                      <div class="m_-5655051895472301058h5">
                        <div bgcolor="#FFFFFF" text="#000000"> <img src="cid:part13.62A9824D.0A0A181B@bartk.us"><br>
                          <br>
                          No, not that kind of identity.  Digital
                          identity.  Used to inform networks and
                          computers about who you are.  In my brief
                          research on this, Wikipedia has listed a few
                          systems:<br>
                          <ol>
                            <li>SAML</li>
                            <li>OAuth</li>
                            <li>OpenID</li>
                            <li>CAS</li>
                          </ol>
                          <p>There are of course other systems, such as
                            X509 certificates, or just plain old trusted
                            keys or fingerprints.  The question is,
                            which of these systems are appropriate for
                            use on Part 97 airwaves?<br>
                          </p>
                          <p>The big P97 restriction we have is no use
                            of secrecy or encryption.  Early on we
                            realized this means any system which relies
                            on shared secrets (such as passwords) is not
                            going to work well.  One system that does
                            work really well is public/private key based
                            authentication.  SSH key authentication and
                            TLS client certificate authentication work
                            really well because of this.  However, those
                            systems are not without problems.  Both of
                            them need to have the encryption option
                            turned off, which requires a custom ssh
                            client and server for SSH, and is nearly
                            impossible to do with any modern web browser
                            for TLS.  Other applications that use TLS
                            will also have the same challenge.<br>
                          </p>
                          <p>I'd like to identify some acceptable
                            identity systems for web browsers and web
                            applications.  It would be great if they
                            could also be used for email clients
                            (Thunderbird, Evolution, KMail, etc), and
                            other applications like file shares.<br>
                          </p>
                          <p>I haven't looked into security tokens at
                            all yet, but those may work.  That is, to
                            plug a token into USB or tap it via NFC
                            (cell phone case), and have yourself
                            identified.<br>
                          </p>
                          <p>Is anyone aware of which systems may be
                            compatible with Part 97 and work in a
                            user-friendly way?<span class="m_-5655051895472301058m_3457861431838574063HOEnZb"><font color="#888888"><br>
                              </font></span></p>
                          <span class="m_-5655051895472301058m_3457861431838574063HOEnZb"><font color="#888888">
                              <p>--Bart<br>
                                <br>
                              </p>
                            </font></span></div>
                        <br>
                      </div>
                    </div>
                    ______________________________<wbr>_________________<br>
                    PSDR mailing list<br>
                    <a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
                    <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer" target="_blank">http://mail.hamwan.net/mailman<wbr>/listinfo/psdr</a><br>
                    <br>
                  </blockquote>
                </div>
                <br>
              </div>
              <br>
              ______________________________<wbr>_________________<br>
              PSDR mailing list<br>
              <a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
              <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer" target="_blank">http://mail.hamwan.net/mailman<wbr>/listinfo/psdr</a><br>
              <br>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="m_-5655051895472301058mimeAttachmentHeader"></fieldset>
      <br>
      <pre>______________________________<wbr>_________________
PSDR mailing list
<a class="m_-5655051895472301058moz-txt-link-abbreviated" href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a>
<a class="m_-5655051895472301058moz-txt-link-freetext" href="http://mail.hamwan.net/mailman/listinfo/psdr" target="_blank">http://mail.hamwan.net/<wbr>mailman/listinfo/psdr</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>______________________________<wbr>_________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer" target="_blank">http://mail.hamwan.net/<wbr>mailman/listinfo/psdr</a><br>
<br></blockquote></div><br></div>