On Thu, Apr 17, 2014 at 8:35 AM, lleachii@aol.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ All,
I've added a new tool that I'd like you to test. This web application should provide the registration code required by APRS software suites. In order to use it, you must browse to:
http://kb3vwg-010.ampr.org/tools/aprscode or http://44.60.44.10/tools/aprscode
If you're on AMPRNet, you should be able to enter the callsign and look up the registration code. If you access it from outside of AMPRNet, you will be prompted for an access code (1234).
Please let me know how it works
It's poor design to allow authorization via source address or low-entropy password with no authentication. I was just able to generate a passcode for KB3VWG, but I'm not KB3VWG. I certainly don't want you handing out passcodes for KD7LXL. I already have mine memorized, and no one else needs it.
A more prudent, yet still automated, scheme would be to authenticate with a certificate. For example, a Logbook of the World certificate from the ARRL contains your callsign, and is only issued by the ARRL after verifying your identity. A web app using SSL client verification could read the callsign from this certificate and return the APRS-IS passcode for that callsign, and only that callsign. That is proper authentication.
You might ask, why go through all that trouble when the APRS-IS passcode is generated with a public algorithm? I agree with you there. It would be prudent to implement better authentication on APRS-IS. I have done so on the APRS server I manage: http://44.24.242.23:14501/ When connecting to the SSL ports, the server will read your callsign out of a Logbook of the World certificate. If your client requests it, the server will use only the authentication component of SSL, disabling the encryption (important if you're connecting via RF). Application support for this scheme is low right now (I've done it with APRSDroid, and Xastir+stunnel), but I expect adoption to increase.
Tom KD7LXL