[HamWAN PSDR] Let's talk about identity
cory at nq1e.hm
Sat Apr 1 13:59:11 PDT 2017
This is the first topic we were hoping to tackle if we could get some
interest behind the ARETF <http://aretf.org/>. I made a post there a
couple years ago to try to get the ball rolling, but without the help of
others I haven't been able to stay focused on this topic due to many
different things that demand my time.
I'll start by reposting my introduction to terms. ;)
I'll start by clarifying some terms so we can further discuss these matters
with the appropriate context.
When people refer to "secure" communication, they're typically implying
these three distinct features:
Privacy - Preventing third parties from seeing what is being
Integrity - Assurance that the message received was from the sender and
not tampered with in transit
Authentication - Assurance that the sender is who you expect them to be
and not an impostor
When providing security for a system, you also need to consider:
Authorization - Determining if the identified sender is allowed to
perform the action they are requesting.
In amateur radio, we want to be able to use all of the security features
above except for privacy. It's a common misconception in the US that FCC
part 97 prevents the use of encryption and therefore most security features
aren't available to us. However, what part 97 actually prohibits is
"messages encoded for the purpose of obscuring their meaning." It's
important to keep this distinction in mind when developing best practices
and communicating them to users who may not understand the difference.
We should also try to avoid rat-holing any discussions with debate on
whether privacy *should* be allowed as that isn't productive for our
goals. It's also likely what contributed to past failures on this subject.
Luckily, many technologies already support these features without privacy
which means we don't need to start from scratch. Unfortunately, privacy is
the one thing most people think of when it comes to security. Therefore,
our use-cases don't tend to be well documented or understood. That's what
I hope we get a chance to fix.
On Sat, Apr 1, 2017 at 1:19 PM, Bart Kus <me at bartk.us> wrote:
> No, not that kind of identity. Digital identity. Used to inform networks
> and computers about who you are. In my brief research on this, Wikipedia
> has listed a few systems:
> 1. SAML
> 2. OAuth
> 3. OpenID
> 4. CAS
> There are of course other systems, such as X509 certificates, or just
> plain old trusted keys or fingerprints. The question is, which of these
> systems are appropriate for use on Part 97 airwaves?
> The big P97 restriction we have is no use of secrecy or encryption. Early
> on we realized this means any system which relies on shared secrets (such
> as passwords) is not going to work well. One system that does work really
> well is public/private key based authentication. SSH key authentication
> and TLS client certificate authentication work really well because of
> this. However, those systems are not without problems. Both of them need
> to have the encryption option turned off, which requires a custom ssh
> client and server for SSH, and is nearly impossible to do with any modern
> web browser for TLS. Other applications that use TLS will also have the
> same challenge.
> I'd like to identify some acceptable identity systems for web browsers and
> web applications. It would be great if they could also be used for email
> clients (Thunderbird, Evolution, KMail, etc), and other applications like
> file shares.
> I haven't looked into security tokens at all yet, but those may work.
> That is, to plug a token into USB or tap it via NFC (cell phone case), and
> have yourself identified.
> Is anyone aware of which systems may be compatible with Part 97 and work
> in a user-friendly way?
> PSDR mailing list
> PSDR at hamwan.org
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 13670 bytes
Desc: not available
More information about the PSDR