[aprssig] Universal APRS messaging
steve at dimse.com
Thu Oct 23 20:11:47 EDT 2008
On Oct 23, 2008, at 6:57 PM, Gregory A. Carter wrote:
> I still maintain that it would be wise to create an OpenID style
> system. Of course it would take quite a while before the various
> pieces of software eventually got up to date to use the new auth
> system for APRS-IS (and some software may never), however the longer
> the implementation is delayed, the longer it will take to impliment
> (how's that for a brain teaser).
Do you see that you cannot simply tack a new authorization system onto
the present APRS IS? No matter how you choose to represent that a
packet used that system, I can simply duplicate that representation
when I send a packet to the APRS IS.
The solution requires either to cryptographically sign each packet on
the APRS IS that is from a verified station (in a way that does not
break current software, hard!), or to create a new APRS IS where
access is limited to those who implement the new authorization scheme.
The latter method would be my choice.
A new APRS IS could inject all the data from the old APRS IS and flag
it as unverified, so that people using the new system could see all
the old data, and choose how much trust to give it. Data from the new
system could also be fed back into the old, so there would be no
isolation. People could switch to the new system as their software was
updated to use the new validation, whatever that be, yet the legacy
programs still work (albeit with no IGate security).
The biggest hurdle is that not many people really care. I think that
is because most IGate operators do not concern themselves with the
risks. I thought releasing the algorithm back when would make IGate
operators act as I did and shut down their two-way IGates. Not only
did that not happen, but the APRS IS is probably 20 times the size it
was then by any measure. It probably helps that there has never been
an enforcement action against APRS. I don't want to take the chance on
being the first. Until this week, I also felt it was my responsibility
to do all that was in my power to prevent people from hurting
themselves. The users have changed my mind, I just provide the tools,
how people use them is not my responsibility,
More information about the aprssig