51. Q. Why do I need an identity certificate to prove my identity?
A. You don’t need a certificate to prove your identity. That’s not how the identity certificate is used in the TrustedQSL process. The identity certificate is created so others can use it to verify that a tQSL that says it is from your station is authentic.
53. Q. Why does the CA send me a copy of the identity certificate if I don’t need to use it? A. For convenience and on general principles, it is after all your public key and your information. Standard practice has the sender include a copy of all the certificates in his “chain of trust” along with his tQSLs. This is a courtesy to the recipient and expedites authentication. An alternative approach would be for the CA to keep your certificate, publish it in the CA’s online directory and have the recipient of your tQSLs look up your certificate online.
55. Q. What else can I do with a copy of my identity certificate? A. You can save your identity certificate along with your private key in a standard portable format (PKCS#12). The PKCS#12 file can be read by a variety of standard applications such as e-mail programs and Internet browsers. This will allow using your private key to sign e-mail messages that you exchange with other amateurs. And other amateurs can authenticate e-mail claiming to be from you as coming from the real WA1XYZ.
57. Q. Who will accept my identity certificate? A. TrustedQSL’s goal is for your identity certificate to be accepted by other hams and by award sponsors. The broader, non-amateur radio community who have chains of trust originating in commercial CAs or national PTTs are unlikely to accept an identity certificate for WA1XYZ as being trustworthy.
59. Q. Why should I bother to digitally sign tQSLs A. In the Spirit of Ham Radio one signs tQSLs so that your fellow hams can receive award credit for contacts they’ve made with you. Signing your tQSLs permits those who do care about such things, award sponsors being the prime example, to authenticate that the WA1XYZ tQSLs received from an unauthenticated intermediary did indeed originate with you, the real WA1XYZ and not some impostor.
61. Q. Who’s an “unauthenticated intermediary?” A. It can be any third party. Digital signatures permit the paradigm to shift away from security and authentication via records kept on central servers towards individual documents that can be authenticated. Just as with traditional paper QSLs, third parties are free to handle, store and forward tQSLs. It is of no concern through which hands, such as logbook servers, a tQSL may have passed prior to its being presented to an award sponsor.
63. Q. Can paper QSL cards have a digital signature? A. Yes. It can be done with a bar code printed on the card. The information on the paper card can then be authenticated just like a tQSL.
65. Q. Do I need to be connected to the Internet to sign tQSLs? A. No, tQSLs can be signed and sent by any means. Including but not limited to e-mail, packet radio, floppy disk, CD, even paper QSL cards.
67. Q. Do I need to be connected to the Internet to validate tQSLs? A. No, you just need a trusted means to obtain the CAs public key.
69. Q. What is Open Source? A. Open Source is a concept in which the copyright holder wishes that the source code be accessible for anyone to use.
71. Q. Why is Open Source important to TrustedQSL? A. For tQSLs to become a standard, then nothing should keep software authors from providing support for the standard. One way to encourage this is to make the source code freely available.
73. Q. Your efforts duplicate commercial products. Products such as Adobe Acrobat, while not free, offer digital signatures with non-repudiation today. A. TrustedQSL is an open source implementation. The protocols adopted for tQSLs are the open standards supported by Microsoft, Netscape, Verisign, Adobe et al. in their products.
75. Q. A trusted system is also highly secure, isn’t it? A. There’s a publication called the US Department of Defense Trusted Computer System Evaluation Criteria, commonly known as the Orange Book. Although originally written for military systems, the security classifications are now broadly used within the computer industry; terms such as C2, B1 and A1 originate in the Orange Book. Yes, a DoD trusted system is very secure. However, the only way in which the “trusted systems” described in the Orange Book are related to TrustedQSL is by the rather inopportune similarity of their names.
77. Q. Does TrustedQSL rely upon exotic cryptographic algorithms? A. No, nothing particularly exotic. TrustedQSL incorporates industry standard algorithms for creating and authenticating digital signatures. Support for these standard algorithms can already be found in most e-mail programs and Internet browsers.
79. Q. Doesn’t TrustedQSL involve such sophisticated encryption techniques that it could never be exported outside the USA? A. Absolutely not. The Bureau of Industry and Security (BIS) in the U.S. Department of Commerce administers export controls on commercial encryption products. The Export Administration Regulations (EAR) exempt from notification and review prior to export all “encryption items” having limited cryptographic functionality. Limited functionality is all that’s required for TrustedQSL: generation and authentication of digital signatures. Such items may be exported without a license to any destination except the seven nations designated by the U.S. State Department as “terrorist supporting” states. Note that the export of any software to five of the “T-7” nations to which digital signature software would be controlled is subject to comprehensive embargoes administered by the U.S. Treasury Department’s Office of Foreign Assets Control.
81. Q. How about other countries, are there places where the importation or use of digital signature software is controlled? A. Possibly. With over 200 countries and territories having independent policy-making authority over the import, export and use of software containing cryptographic functions, it’s difficult to know the answer with complete certainty. And one needs to be sure to ask the right question, as authentication cryptography that is not used for confidentiality purposes is often exempt from controls imposed on more general-purpose encryption software.
83. Q. Do we really need to be using military grade security for QSLs? A. Look, there’s nothing at all like “military grade” security here. tQSLs are not secure; tQSLs are trustworthy because they can be authenticated. It’s a fundamental difference. And it’s not “military grade” authentication; tQSLs employ the same commercial grade authentication protocols that virtually every e-commerce site on the Web uses.
85. Q. Isn’t the public key algorithm that’s used for digital signatures patented? A. Not any more. A public key algorithm commonly used for digital signatures is known as RSA (Rivest-Shamir-Adelman). The RSA algorithm was patented in the USA (Patent No. 4,405,829). However, the patent expired on 20 September 2000.
87. Q. The system you describe is open to fraud, in that a group of users could conspire. A. Sure, that could happen. As it could with paper QSL cards. Any system will not be perfect. Just ask Verisign and Microsoft.
89. Q. Will ARRL and other award sponsors accept tQSLs? A. TrustedQSL has been selected as the authentication protocol for the ARRL’s “Logbook of the World” (LOTW) project. Matching pairs of tQSLs will be acceptable for DXCC credit if both are submitted to LOTW. The ARRL has stated its goal of eventually expanding LOTW from just the DXCC program to include their other awards programs (WAS, VUCC). The RSGB (IOTA) is awaiting an E-QSL system based on public key cryptography to emerge. One could easily imagine the RSGB and other awards sponsors such as CQ Magazine (WAZ, WPX, USA-CA) will be watching the ARRL’s experience with LOTW.
91. Q. What type of service does TrustedQSL.org offer? A. TrustedQSL.org doesn’t really offer any services. We provide information about TrustedQSL systems, Open Standards and Open Source tools.
93. Q. Why should we trust TrustedQSL.org? A. There is no need to trust TrustedQSL.org. We’re not a CA. We’re just advocating adoption of an open standard based on public key signatures and providing open source tools.
95. Q. How did TrustedQSL get its name? A. What’s in a name? In coming up with a name the originators of TrustedQSL were thinking in terms of trust conveyed by a digital signature, as in “the trust model.” How a QSL would be trustworthy if it carried a signature that could be authenticated.
97. Q. You guys are doing some cool stuff. Can I be apart of it? A. Sure, join the TrustedQSL reflector and let us know.