-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 6/13/14, 3:23 PM, Eric H. Christensen wrote: > The mechanism that LoTW uses is similar to what can be done for the > wiki. LoTW is using a certificate to digitally sign a file that is > then transmitted to the LoTW servers. What you can do with ssl_mod > (using httpd) is to require client-side certificate authentication. > Fedora uses this for their package build server and I've seen it a > couple of other places. This isn't something that's easy (although > it's not overly difficult, either). You must have some sort of > cryptographic system in place to generate and manage certificates > (Dogtag?). That's the beauty of it: the ARRL already DOES the hard part. There's no need to install Dogtag (a merciless, bloody task, not really made much easier by spending big $$$ to get the RedHat Enterprise version). The league has already issued the certificates and done the legwork to verify that the people they issue them to are real people, and real hams, and that the callsign matches the real name, etc. On the web server side, all you have to do is say "I trust the ARRL. If they signed a certificate with their private master key, then I'll believe the person submitting that certificate is who they say they are, because the ARRL did all the hard work." The best example is to go to this URL: https://authtest.aprs.fi/ The initial setup for the end user can be somewhat painful. Basically, you need your LOTW certificate, and you import that into your web browser or OS keystore (Windows / Unix). You also import the ARRL Root Certificate. Then, when you browse to the link above, your browser will ask for the password (if you have one) on your LOtW certificate. Once you give it the password, it submits the public portion to the web server, and boom, the web server "knowns" all about you. > > - From a security point of view I think this would be great. Of > course you'd need to do some basic upgrades to the security of the server itself first. > Hessu has set up a github repo here: https://github.com/hessu/ham-cert-web-demo that has all of the web server side configurations to make all of this work. It's really fascinating work, and it lays the groundwork for a global authentication system that is based on a tested, accepted digital authentication/identification system. Again, like them or not, trust them or not, the ARRL has "gotten one right" with regard to digital signatures and certificates. Were you or I to attempt to set up something like this, it would take tens of thousands of dollars and man-hours to create the infrastructure to make it work, and then there's no guarantee that if you build it, people will come to it. > 73, Eric W4OTN > de John Gorkos AB0OO -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlObX6MACgkQWrompdSdNGutUgCgpQjlQntylnWl8SgGRPKnvI3X D6YAoKAkAkaceeSyTdgoBvfDqLP1TRlg =3ecP -----END PGP SIGNATURE----- _______________________________________________ Xastir mailing list [email protected] http://xastir.org/mailman/listinfo/xastir
