[aprssig] Certificate authentication (was: UNDEFINED?)

[Iain R. Learmonth]

Hi,

On 30/04/2020 22:43, spam8mybrain via aprssig wrote:
> Another solution to discourage commercial users might be to bring back
> the SSL connection to the APRS-IS servers. Now that it has been
> repaired, if more servers supported it, then we could start phasing
> out the older passcode interface. Maybe throttle only that port and
> not the SSL port. After all, it's easy to create a 5-digit passcode,
> but much harder to create a valid SSL certificate from Logbook of the
> World.

I'm all for this, but first we need to grow the pool of servers
supporting TLS client authentication. I've been working on TLS support
for the HamBSD APRS-IS client and the server side support is not in
great shape. There were only 2 servers in the ssl.aprs2.net pool, one of
which had an expired server certificate. I'm still trying to track down
the root certificate used by APRS2 to include it in a certificate bundle
that could be used to verify the servers.


https://man.hambsd.org/aprsisd.8

> Yes, this would be rough on hams in countries without easy contact to
> the ARRL. It also would be rough on hams using obsolete APRS
> applications, but I don't have much sympathy for them in these days of
> black-hat hackers. Besides, I didn't propose eliminating the older
> authentication scheme, just making it painful enough to use that the
> network hijackers will go away.

A switch over now would probably kill APRS-IS, or cause some splinter
network or something. We need a push to get TLS support into clients, we
need a push to get support on the servers, and we also need to grow the
list of organizations that could provide certificates. One of the
activities of the HamBSD project is to provide a toolkit for operating
such a CA to allow national clubs and/or regulators to take on the role
of certificate issuance.


https://hambsd.org/pki.html


Thanks,

Iain MM0ROR

-- 
https://hambsd.org/