Re: [44net] Test New Tool - APRS Code Recovery

On Thu, Apr 17, 2014 at 8:35 AM, <lleachii(a)aol.com> wrote: It's poor design to allow authorization via source address or low-entropy password with no authentication. I was just able to generate a passcode for KB3VWG, but I'm not KB3VWG. I certainly don't want you handing out passcodes for KD7LXL. I already have mine memorized, and no one else needs it. A more prudent, yet still automated, scheme would be to authenticate with a certificate. For example, a Logbook of the World certificate from the ARRL contains your callsign, and is only issued by the ARRL after verifying your identity. A web app using SSL client verification could read the callsign from this certificate and return the APRS-IS passcode for that callsign, and only that callsign. That is proper authentication. You might ask, why go through all that trouble when the APRS-IS passcode is generated with a public algorithm? I agree with you there. It would be prudent to implement better authentication on APRS-IS. I have done so on the APRS server I manage: http://44.24.242.23:14501/ When connecting to the SSL ports, the server will read your callsign out of a Logbook of the World certificate. If your client requests it, the server will use only the authentication component of SSL, disabling the encryption (important if you're connecting via RF). Application support for this scheme is low right now (I've done it with APRSDroid, and Xastir+stunnel), but I expect adoption to increase. Tom KD7LXL