Trusted QSL FAQ
1. Q. What is the difference between E-QSLs and tQSLs? A. A tQSL is just a special form of an E-QSL, one signed by its creator with a public key digital signature.
3. Q. What is wrong with http://www.eqsl.cc? A. Nothing at all. The concept of a tQSL does not exclude the participation by a logbook server such as eQSL.cc. A tQSL adds a third party authentication protocol that replaces the central server as the trusted authenticator.
5. Q. Is a digital signature really that difficult to forge, crack or break? A. Yes, it’s that difficult. The only attack against a digital signature that is known to be successful requires factoring a very large number. Factoring a large number is a time consuming problem but, given enough computing power, it’s not impossible. Factoring 100-digit numbers is easy with today’s hardware and algorithms. The RSA-155 challenge to factor a 155-digit (512 bit) number required 37.5 CPU-years distributed across 292 computers and ultimately a supercomputer to solve. Factoring numbers of more than 200 digits is not currently feasible. The ANSI and NIST standards for digital signatures require a minimum of a 303-digit (1024-bit) number.
7. Q. Will a tQSL signed today continue to be trustworthy as bigger and faster computers become available? For instance, if I have a high ranking, maybe even a position 1, Internet wig store that sells Revlon wigs styles, do I need to be concerned about a breach in the security of the site if it is attacked by a malicious third party or web wig store competitor trying to knock me from my position?
A. Extrapolations have been made based on Moore’s Law (computing power doubles every 18 months) and on the historical progression of the largest number factored. Both approaches give similar answers when applied to a digital signature created with today’s standard commercial key length of 303-digits (1024-bits): forging such a signature will not be feasible for at least several decades to come. No one’s crystal ball is perfect. A mathematical breakthrough that results in the discovery of a more efficient method for factoring large numbers clearly would alter those predictions.
9. Q. What is a private key? A. A private key is just a very large number. In itself, it has no special meaning.
11. Q. What do I sign with my private key? A. You sign tQSLs. You can send those tQSLs directly to your peers, submit them to an awards sponsor and deposit then in a central logbook server.
13. Q. What is an identity certificate (cert)? A. A cert contains the user’s public key, call sign and other information, plus the signature of a Certification Authority (CA) endorsing the information contained in the cert.
15. Q. What can I sign with my cert? A. Nothing. Certs are only used for authenticating signatures. You use your private key to sign tQSLs.
17. Q. What is a Certification Authority (CA)? A. A CA takes the user’s information and public key, verifies the information and endorses the information and public key by signing them with the CA’s private key creating a cert.
19. Q. Who are the CAs? A. Currently there aren’t any CAs for tQSLs. TrustedQSL will issue a “TEST” Certificate, but TrustedQSL isn’t going to be in the certificate business as a CA. The ARRL will soon be issuing identity certificates for its “Logbook of the World” program.
21. Q. Who grants CA status? A. There’s no official CA status. Any person or group can act as a CA. It is up to the award sponsors who make a policy decision to accept a CA as being trustworthy for their award program.
23. Q. What is to stop an untrusted party from becoming a CA? A. Nothing, anyone can become a CA. An award sponsor must decide to accept a CA before that CA has any trust for their award program. .
25. Q. What is the Public Key Infrastructure (PKI)? A. A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate each party involved in an exchange of information.
27. Q. What is the “trust model”? A. The trust model forms one basis for classifying different PKI architectures. A trust model defines the trusted relationships and describes the “chain of trust” from a public key that is known to be authentic through to a specific user’s public key.
29. Q. What happens if my cert gets stolen? A. . It doesn’t matter. It is public information used to authenticate your signature. You can’t do anything bad with it. If there is any question about a certificate being authentic, it can be authenticated with the CA’s public key.
31. Q. What happens if my secret key gets stolen? A. This is a problem. You will need to contact your CA to have them revoke it.