[Xastir] Captcha's

John Gorkos jgorkos at gmail.com
Fri Jun 13 16:31:31 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 6/13/14, 3:23 PM, Eric H. Christensen wrote:
> The mechanism that LoTW uses is similar to what can be done for the
> wiki. LoTW is using a certificate to digitally sign a file that is
> then transmitted to the LoTW servers. What you can do with ssl_mod
> (using httpd) is to require client-side certificate authentication.
>  Fedora uses this for their package build server and I've seen it a
> couple of other places. This isn't something that's easy (although
> it's not overly difficult, either). You must have some sort of
> cryptographic system in place to generate and manage certificates
> (Dogtag?).

That's the beauty of it:  the ARRL already DOES the hard part.
There's no need to install Dogtag (a merciless, bloody task, not
really made much easier by spending big $$$ to get the RedHat
Enterprise version).  The league has already issued the certificates
and done the legwork to verify that the people they issue them to are
real people, and real hams, and that the callsign matches the real
name, etc.  On the web server side, all you have to do is say "I trust
the ARRL.  If they signed a certificate with their private master key,
then I'll believe the person submitting that certificate is who they
say they are, because the ARRL did all the hard work."
The best example is to go to this URL:
https://authtest.aprs.fi/

The initial setup for the end user can be somewhat painful.
Basically, you need your LOTW certificate, and you import that into
your web browser or OS keystore (Windows / Unix).  You also import the
ARRL Root Certificate.  Then, when you browse to the link above, your
browser will ask for the password (if you have one) on your LOtW
certificate.  Once you give it the password, it submits the public
portion to the web server, and boom, the web server "knowns" all about
you.

> 
> - From a security point of view I think this would be great. Of
> course you'd need to do some basic upgrades to the security of
the server itself first.
> 
Hessu has set up a github repo here:
https://github.com/hessu/ham-cert-web-demo
that has all of the web server side configurations to make all of this
work.  It's really fascinating work, and it lays the groundwork for a
global authentication system that is based on a tested, accepted
digital authentication/identification system.

Again, like them or not, trust them or not, the ARRL has "gotten one
right" with regard to digital signatures and certificates.  Were you
or I to attempt to set up something like this, it would take tens of
thousands of dollars and man-hours to create the infrastructure to
make it work, and then there's no guarantee that if you build it,
people will come to it.

> 73, Eric W4OTN
> 



de John Gorkos
AB0OO
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlObX6MACgkQWrompdSdNGutUgCgpQjlQntylnWl8SgGRPKnvI3X
D6YAoKAkAkaceeSyTdgoBvfDqLP1TRlg
=3ecP
-----END PGP SIGNATURE-----

More information about the Xastir mailing list