[aprssig] Universal APRS messaging
Heikki Hannikainen hessu at hes.iki.fiFri Oct 24 07:20:04 UTC 2008
- Previous message: [aprssig] Universal APRS messaging
- Next message: [aprssig] Universal APRS messaging
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 23 Oct 2008, Tyler Allison wrote: > Steve Dimse wrote: >> We'll have to agree to disagree on this. I think providing any >> illusion that there is security is wrong. IGate operators need to know >> they bear total responsibility for everything transmitted through >> their IGate. Authenticating web access give the illusion of security >> which does not exist. > > No we don't. I agree with you on a philosophical stand point :) > > What I meant is that if someone is bound and determined to implement > something the only real thing I've heard that might stop some random acts > of annoyance is the web access authentication. But it should not be > cloaked in the guise of removing liability. It's stopping ankle biters, > which are not the real liability risk. I have to agree with Tyler on the practical side of things. I know of a few ways to break into my apartment without much trouble, but I still want to keep the front door locked so that anyone can't simply walk in. And yes, I know that the front door can be picked too. If there is a security hole on one side of a production system, we shouldn't create more of them on the other side to just prove the point. I think we should work to plug the existing holes instead of creating more of them. On the philosophical side, I do enjoy reading the bugtraq mailing list and see the value of releasing proof-of-concept code to force big companies to fix their security holes, if they're not willing to do so otherwise. As long as they're not publishing holes in *my* systems, it's fine. :) And while there isn't security on APRS-IS, I wouldn't actually mind improving security on the web interfaces. It'll be useful when/if the security on APRS-ISv2 (or whatever) is implemented. OpenID would be nice for mutual sharing of verified license status information, I suggested it in the spring: http://oh7lzb.blogspot.com/2008/05/how-to-authenticate-licensed-hams.html It simply does not work for the APRS-IS case, though. RSA/DSA signatures by igates for every gated message, anyone? :) (Seriously speaking, the CA mess would be a maintenance nightmare in such a decentralized system, and the CPU requirements would be noticeable. I doubt people would bother.) - Hessu, OH7LZB (aprs.fi)
- Previous message: [aprssig] Universal APRS messaging
- Next message: [aprssig] Universal APRS messaging
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the aprssig mailing list