K |
K (link to policy added) |
||
| (Der Versionsvergleich bezieht 13 dazwischen liegende Versionen mit ein.) | |||
| Zeile 1: | Zeile 1: | ||
| - | = HAM PKI = | + | = HAM PKI: Igniting Amateur Radio over Internet Applications = |
| - | + | This is work-in-progress. Join our discussion in <code>#ham-pki</code> on the IRCnet. | |
| - | + | == ChaosWelle Amateur Radio Certificate Authority == | |
| - | + | === Problem: Authenticating Radio Amateurs Online === | |
| + | Access to some systems or services (for example APRS or the hamnet) over the Internet should only be provided to authorized and licensed amateur radio operators. | ||
| - | + | APRS currently uses a passcode, which is just some kind of checksum of the callsign. There are many freely available tools, which you can use to generate your own APRS passcode for every string you can imagine. Based on that information an APRS passcode is not a secure way of authenticating an amateur radio operator. | |
| - | Some services started to use certificates to identify amateur radio operators. Theese certificates are issued by a CA which will identify the operator before issuing the certificate. No one can fake a certificate, because a certificate needs to be signed by a CA to be valid. | ||
| - | + | === Solution: Certificate PKI === | |
| - | + | Some services (LotW, a pair of APRS-IS implementations) started to use certificates to identify amateur radio operators. These certificates are issued by a Certificate Authority (CA) which will check the operator's identity and callsign before issuing the certificate. Faking such a certificate is cryptographically impossible. | |
| - | + | Currently there is only one CA, used by the ARRL to issue Logbook-of-the-World (LoTW) certificates. In addition to the fact that this is a single point of failure, many hams may have problems with sending personal documents using the postal service around the globe. This lead to the idea, that another CA could be created and that the formal rules for this CA need to be defined and documented. This would make the whole process of issuing and revoking certificates transparent to the amateur who is requesting a certificate, and also to server operators who need to decide which CAs they want to trust. | |
| + | |||
| + | === Our Goal: Creation of a "Chaoswelle" Root CA === | ||
| + | |||
| + | One of the first ideas was to put this CA service into the local amateur radio operators group (for example ARRL in the US, DARC in Germany) but not every amateur radio operator is a member of such a group. Also, integrating such a service in a local group has to tackle many political and bureaucratic hurdles, making it impossible in the short term. | ||
| + | |||
| + | Our goal is therefore to build a volunteer-driven CA within the [https://www.ccc.de/ CCC], an organization which is known for its privacy and IT knowledge. With this CA, any radio amateur can request certificates free of charge, and the documentation and implementation of this CA will be usable as a blue-print for other groups (local clubs, government agencies for amateur radio) to follow. | ||
=== Requirements === | === Requirements === | ||
| - | + | * Operator Identification Process | |
| - | + | ** Match "real identity" (person's name) with "amateur identity" (callsign) and "online identity" (email address / browser / app / certificate request) | |
| - | + | *** don't request passport scans. DON'T. | |
| + | ** Automation as far as possible | ||
| + | * Certificate Issuing Process | ||
| + | * Revocation Process | ||
| + | ** Create Revocation Policy | ||
| + | ** Provide Public Audit Log of revocations | ||
| + | ** Revocation by CA | ||
| + | ** Revocation by Callsign Owner | ||
| + | ** Revocation by Service Provider due to abuse | ||
=== TODO === | === TODO === | ||
| - | + | * robust certification and revocation policy: [[HAM-PKI/Policy]] | |
| - | + | * CA implementation | |
| - | + | * validation volunteers | |
| + | |||
| + | === Certification Process === | ||
| + | |||
| + | Possible automatic process: | ||
| + | |||
| + | # User fills in callsign + certificate request | ||
| + | # Automatic system sends registration-code postcard to address registered in country's official database | ||
| + | # User enters registration-code, can download certificate | ||
| + | |||
| + | Problem: somebody needs to pay for postage & logistics. | ||
| + | |||
| + | |||
| + | Possible manual process: | ||
| + | |||
| + | * Online Form (Full Name[r], Call[r], EMail[r]) | ||
| + | * User receives EMail with link to the upload website to upload Callsign assignment, CSR and a document which proves identity (again: no passports) | ||
| + | ** official proof of residence OR | ||
| + | ** phone, electricity or gas bill with personal name and address (but without more details) not older than 1 month and need to be originally send via snail mail | ||
| + | * User receives status via EMail, that his request is beeing processed | ||
| + | * Admin validates the data. | ||
| + | * User is informed about acceptance, request for more information or denial of request. On acceptance the cert is sent out via email | ||
| + | |||
| + | Why do we want a proof of residence or a phone or gas bill and not a scanned ID? | ||
| + | * In some countries (like Germany) you are not allowed to scan or copy your ID card. | ||
| + | * If it is allowed, many people save the scan on their local computer often without working access control in place | ||
| + | * A bill not older than a month which came via postal service is normaly not stored on the computer but has all informations we need | ||
| + | |||
| + | |||
| + | When is a request for a personal cert accepted (all AND connected): | ||
| + | |||
| + | * EMail Adress is working | ||
| + | * Callsign is valid | ||
| + | * Callsign is assigned to requesting person | ||
| + | * Person and Callsign are both registered to the same address | ||
| + | * Adress is valid | ||
| + | |||
| + | |||
| + | When is a request for a personal cert denied (all OR connected): | ||
| + | |||
| + | * EMail Adress is NOT working | ||
| + | * Callsign is NOT valid | ||
| + | * Callsign is NOT assigned to requesting person | ||
| + | * Adress is NOT valid | ||
| + | |||
| + | |||
| + | When is more information required to decide about the request: | ||
| + | |||
| + | * Person and Callsign are registered to different locations | ||
| + | |||
| + | |||
| + | What is done with the documents after the certificate is approved or declined: | ||
| + | |||
| + | * a protocol of the check is saved with the callsign from the person who has checked the documents and perhaps a comment | ||
| + | * all files uploaded by the user will be deleted right after the process has finished. | ||
| + | * If an admin requires more information about a request and no more information are send, the request will automatically be denied after 30days and the data will be deleted. Only a protocol will be saved. | ||
| + | |||
| + | |||
| + | Problem: manual labor is manual. | ||
| + | |||
| + | |||
| + | Possible automation: make smartphone app/app plugin that: | ||
| + | |||
| + | # Lets user enter his personal data | ||
| + | # Makes a photo of required documents | ||
| + | # Creates a key pair and CSR | ||
| + | # Uploads to CA | ||
| + | # Downloads and integrates certificate once issued | ||
| + | |||
| + | |||
| + | == Applications of Certificate Login == | ||
| + | |||
| + | * [https://aprsdroid.org/ssl/ APRS-IS] login (implemented, working) | ||
| + | * HAMNET user and VPN login (VPN implemented, radio user login TODO) | ||
| + | * aprs.fi interactive services (TODO) | ||
| + | * any online service for radio amateurs | ||
| + | ** possibly oauth server to reduce the hurdles for 3rd party services | ||
| + | |||
| + | == Long Term Tasks == | ||
| + | |||
| + | === Self-Obsolescence === | ||
| + | |||
| + | Bring forward Root CA implementations in radio clubs, regulatory offices etc, so that every amateur is equipped with a certificate as soon as she gets her callsign. | ||
| + | |||
| + | === Root CA Bundle === | ||
| + | |||
| + | Management of a list of Root CAs is non trivial, as can be seen from the different browser developers, OS vendors etc, especially in the context of the CACert inclusion. | ||
| + | |||
| + | To make life for service administrators easier, we should maintain and provide a Root CA bundle" - a package containing a set of Root CAs that we deem as trusted, according to a documented set of rules. | ||
| + | |||
| + | Alternatively, this could be achieved by creating Sub-CA certificates for the existing ham radio CAs, making one effective Root CA that only delegates signing of individual amateurs. | ||
| + | |||
| + | === EchoLink === | ||
| + | |||
| + | EchoLink is using a manual verification process of users prior to allowing them on the EchoLink Internet backbone. We need to get in touch with the responsible people at EchoLink, so we can achieve two synergy effects: | ||
| + | |||
| + | * Implement Certificate-based authentication on the EchoLink backbone | ||
| + | * Provide the EchoLink verification team with a CA so they can issue certificates for other applications as well | ||
| + | |||
| + | |||
| + | === More Online Services === | ||
| + | |||
| + | Contact the designers/operators of the following services to integrate certificate auth: | ||
| + | * D-Star | ||
| + | * Packet Radio | ||
| + | * net44 | ||
| + | * Allstarlink | ||
| + | * DX-Clusters | ||
| + | * ''Add further amateur radio online services'' | ||
Aktuelle Version
Inhaltsverzeichnis |
HAM PKI: Igniting Amateur Radio over Internet Applications
This is work-in-progress. Join our discussion in #ham-pki on the IRCnet.
ChaosWelle Amateur Radio Certificate Authority
Problem: Authenticating Radio Amateurs Online
Access to some systems or services (for example APRS or the hamnet) over the Internet should only be provided to authorized and licensed amateur radio operators.
APRS currently uses a passcode, which is just some kind of checksum of the callsign. There are many freely available tools, which you can use to generate your own APRS passcode for every string you can imagine. Based on that information an APRS passcode is not a secure way of authenticating an amateur radio operator.
Solution: Certificate PKI
Some services (LotW, a pair of APRS-IS implementations) started to use certificates to identify amateur radio operators. These certificates are issued by a Certificate Authority (CA) which will check the operator's identity and callsign before issuing the certificate. Faking such a certificate is cryptographically impossible.
Currently there is only one CA, used by the ARRL to issue Logbook-of-the-World (LoTW) certificates. In addition to the fact that this is a single point of failure, many hams may have problems with sending personal documents using the postal service around the globe. This lead to the idea, that another CA could be created and that the formal rules for this CA need to be defined and documented. This would make the whole process of issuing and revoking certificates transparent to the amateur who is requesting a certificate, and also to server operators who need to decide which CAs they want to trust.
Our Goal: Creation of a "Chaoswelle" Root CA
One of the first ideas was to put this CA service into the local amateur radio operators group (for example ARRL in the US, DARC in Germany) but not every amateur radio operator is a member of such a group. Also, integrating such a service in a local group has to tackle many political and bureaucratic hurdles, making it impossible in the short term.
Our goal is therefore to build a volunteer-driven CA within the CCC, an organization which is known for its privacy and IT knowledge. With this CA, any radio amateur can request certificates free of charge, and the documentation and implementation of this CA will be usable as a blue-print for other groups (local clubs, government agencies for amateur radio) to follow.
Requirements
- Operator Identification Process
- Match "real identity" (person's name) with "amateur identity" (callsign) and "online identity" (email address / browser / app / certificate request)
- don't request passport scans. DON'T.
- Automation as far as possible
- Match "real identity" (person's name) with "amateur identity" (callsign) and "online identity" (email address / browser / app / certificate request)
- Certificate Issuing Process
- Revocation Process
- Create Revocation Policy
- Provide Public Audit Log of revocations
- Revocation by CA
- Revocation by Callsign Owner
- Revocation by Service Provider due to abuse
TODO
- robust certification and revocation policy: HAM-PKI/Policy
- CA implementation
- validation volunteers
Certification Process
Possible automatic process:
- User fills in callsign + certificate request
- Automatic system sends registration-code postcard to address registered in country's official database
- User enters registration-code, can download certificate
Problem: somebody needs to pay for postage & logistics.
Possible manual process:
- Online Form (Full Name[r], Call[r], EMail[r])
- User receives EMail with link to the upload website to upload Callsign assignment, CSR and a document which proves identity (again: no passports)
- official proof of residence OR
- phone, electricity or gas bill with personal name and address (but without more details) not older than 1 month and need to be originally send via snail mail
- User receives status via EMail, that his request is beeing processed
- Admin validates the data.
- User is informed about acceptance, request for more information or denial of request. On acceptance the cert is sent out via email
Why do we want a proof of residence or a phone or gas bill and not a scanned ID?
- In some countries (like Germany) you are not allowed to scan or copy your ID card.
- If it is allowed, many people save the scan on their local computer often without working access control in place
- A bill not older than a month which came via postal service is normaly not stored on the computer but has all informations we need
When is a request for a personal cert accepted (all AND connected):
- EMail Adress is working
- Callsign is valid
- Callsign is assigned to requesting person
- Person and Callsign are both registered to the same address
- Adress is valid
When is a request for a personal cert denied (all OR connected):
- EMail Adress is NOT working
- Callsign is NOT valid
- Callsign is NOT assigned to requesting person
- Adress is NOT valid
When is more information required to decide about the request:
- Person and Callsign are registered to different locations
What is done with the documents after the certificate is approved or declined:
- a protocol of the check is saved with the callsign from the person who has checked the documents and perhaps a comment
- all files uploaded by the user will be deleted right after the process has finished.
- If an admin requires more information about a request and no more information are send, the request will automatically be denied after 30days and the data will be deleted. Only a protocol will be saved.
Problem: manual labor is manual.
Possible automation: make smartphone app/app plugin that:
- Lets user enter his personal data
- Makes a photo of required documents
- Creates a key pair and CSR
- Uploads to CA
- Downloads and integrates certificate once issued
Applications of Certificate Login
- APRS-IS login (implemented, working)
- HAMNET user and VPN login (VPN implemented, radio user login TODO)
- aprs.fi interactive services (TODO)
- any online service for radio amateurs
- possibly oauth server to reduce the hurdles for 3rd party services
Long Term Tasks
Self-Obsolescence
Bring forward Root CA implementations in radio clubs, regulatory offices etc, so that every amateur is equipped with a certificate as soon as she gets her callsign.
Root CA Bundle
Management of a list of Root CAs is non trivial, as can be seen from the different browser developers, OS vendors etc, especially in the context of the CACert inclusion.
To make life for service administrators easier, we should maintain and provide a Root CA bundle" - a package containing a set of Root CAs that we deem as trusted, according to a documented set of rules.
Alternatively, this could be achieved by creating Sub-CA certificates for the existing ham radio CAs, making one effective Root CA that only delegates signing of individual amateurs.
EchoLink
EchoLink is using a manual verification process of users prior to allowing them on the EchoLink Internet backbone. We need to get in touch with the responsible people at EchoLink, so we can achieve two synergy effects:
- Implement Certificate-based authentication on the EchoLink backbone
- Provide the EchoLink verification team with a CA so they can issue certificates for other applications as well
More Online Services
Contact the designers/operators of the following services to integrate certificate auth:
- D-Star
- Packet Radio
- net44
- Allstarlink
- DX-Clusters
- Add further amateur radio online services