Solved - Re: How/where do I get hponcfg for Ubuntu 24?

[Robert Moskowitz]

I am only responding to one point:

On 7/3/25 8:51 AM, Liam Proven wrote:
> On Wed, 2 Jul 2025 at 22:21, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
>> And I will need many  boxes for the PKI.  Being able to roll this in
>> Ubuntu may be critical for adoption.
> Are you _sure_ you need this?
>
> I've been a Unix techie for nearly 40 years and I go out of my way to
> _not_ have to host and run public-facing infra.
>
Have you worked on commercial CAs?  I had a hand, decades back, on 
Cybertrust which became the core of the Verizon commercial CA.

Those that adhere to CABforum take 3 years and ~$2-3M to spool up. FAA 
managed to push back against the auditors and did theirs in 2yr at, 
publicly, $500K.  It will have private and public-facing pieces; the 
root is in a secure room in a secure cabinet.  The issuing CAs need some 
public pieces.

But what I need to do for our model for sUAS security cannot withstand 
any of those prices.  And parts MUST be publicly facing. The RAA and HDA 
auth servers will all be in lock cabinets.  But not the kind that 
CABforum's auditors want.  They tend to start at $100k.  each.  I am 
pushing for "tamper evident" over very expensive, time consuming "tamper 
proof".

The issuing HDA CA servers could be signing 1K certs per hour.  How to 
do that?  They have to be running all the time, not in some locked 
cabinet.  And there will be lots of them.

We have been working this out in the IETF and coordinating with ICAO and 
their soon-to-be-published Certificate Policy.

Some bigger UAS using companies, like ZIPline, will be able to keep much 
of this private, but their USS needs to be public to the UTM. Lots of 
moving pieces.  ICAO RPAS panel says they will have guidelines in 3 
years.  3 years too late.

How do you build something that works for the 190+ Nation States in 
ICAO?  That allows for free movement of UAS between them?  We have had 
extensive discussions on this.

Oh, and I shutter at what is being done to secure GPS. Galileo is 
already to roll their's out.  We got them to tweak it, but I give it 5 
years before it breaks.  For US GPS with the many PRN providers, I give 
that proposal 2 years to roll out and 1 year to break.

China is participating but don't say what they will do.  We assume 
Russia is reading our docs, but they really are a black hole.

But the politics are huge.  We are being forced to do SOMETHING. Over 
that 200 BIT MTU...

I am heavily invested in aviation security.  We are focusing on the 
fast-moving UAS market where innovations can be proved out.  Civil 
aviation is much more painful (and expensive!).

So bottom line:  pieces MUST be public.  How do we keep parts REALLY 
private.  Long calls with FAA, Transport-Canada, UK, EUROCONTROL, Japan, 
China, Singapore, New Zealand (they control ~1/6 of the global 
airspace!), etal.

Oh, and want to have fun?  Look at the ICAO Passport PKI (check out that 
chip on your passport)!  For some countries, ICAO has had to build the 
systems, put them in locked boxes and shipped them, and hope for the 
best.  I believe it is Fuji that has all of 7 CAA employees including 
the janitor....  African countries?  Kenya is pretty good; others???  
There are a lot of countries, where if a commercial plane needs 
maintenance, it is flown in transport mode (only 2 specially licensed 
pilots on board) to some trusted country for needed maintenance.  Trust 
their "private" computer systems???

So, yes.  I am trying to base my ConOPs on: "this can be built".

We can take this private, if you want more info.