Thursday, May 22, 2008

How to authenticate licensed hams?

It would be interesting to provide some methods for two-way communication in the aprs.fi web user interface. Say, APRS messaging from a sort of a web chat, as a simple and obvious example. Or marking their position on the web map and having it seen on APRS-IS. Having tracker devices with an open-source firmware (like OpenTracker and the Finnish HaMDR) opens up more interesting solutions, like remote control, or actively requesting information from a vehicle.

But how on earth could I figure out if an user of the web site is a licensed amateur radio operator, so that he can be allowed to transmit? Automatically, with somewhat strong authentication against an existing database or set of databases, without a need for validating each user by hand? To be useful, it would need to work for more than a few countries (Finland, USA to start with).

It's quite unlikely that the issuers of the licenses (like the FCC in the USA, Ficora in Finland) would bother to create Internet authentication services for their license databases. But the amateur leagues (at least ARRL in the USA, and SRAL in Finland) are already giving out accounts to their web sites ("for members only" features), and I suppose they also know whether each member is licensed or not.

What if the leagues would provide an authentication service using the OpenID protocol? An user would first type in their ARRL or SRAL email address (oh7foo@sral.fi, or n1example@arrl.org), then provide their sral.fi or arrl.org password to SRAL's or ARRL's site, and the authentication result, together with licensing status, would be passed back to aprs.fi (or another "licensed hams only" site).

This would require for the users to be members of one of the organizations providing OpenID authentication. But maybe some individual or organization could set up a trusted OpenID-enabled amateur database, charging each user $2 for the work of validating their license status.

Please, post a comment if you have any ideas for automatically validating the license status of a web site user.

11 comments:

mstyne said...

I know that when I signed up at eqsl.cc they accepted (and presumably tested) my login to the ARRL's Logbook of the World site as proof that I was who I said I was.

That's a very limited subset of hams (ARRL members(?) who use the LoTW) but it's a thought.

73,
Mike
KC2JCJ

SW2HUI said...

I think what you want is similar to this:
http://www.google.com/ig/directory?hl=en&url=athabaska.googlepages.com/google_ham-radio_call.xml

"By The DXZone dot com

This module had been compiled by dxzone.com, and allows you to lookup for ham radio call-signs using multiple call sign servers, like QRZ.com, HamCall, 425 DX News, QSLinfo.de and IK3QAR."

All these servers verify callsigns before listing them as far as I know.

oh7lzb said...

mstyne: Something like ARRL's authentication would be needed for it's members. But others should be supported too, and it is not feasible for me to implement a new and different way to authenticate the members of each and every different amateur club or country. Also, people might not want to give me their arrl.com passwords. That's why a real authentication protocol like OpenID is needed, so that the passwords will go directly to ARRL (or someone) without passing through me, and ARRL will then tell me that this person is who he claims to be (and licensed).

sw2hui: That's not relevant. A callbook could be used to check whether a callsign is licensed, but the problem is knowing whether the user is who he claims to be. Is this particular aprs.fi surfer the amateur radio operator he claims to be? Or did he just pick up someone else's callsign?

SW2HUI said...

well then, you got a point, but on the other hand, ui-view can be used easily without such verifications. You could also check if you could use the echolink.org database which is being widely used as well, and requires callsign licence verification.

oh7lzb said...

Yeah, you can install UI-View and do tricks, but it's a bit more complicated. I'd like to make the web UI easy to use, easier than installing and learning to use UI-View, and it'd be more likely to be abused, unless there's some form of proper authentication in place.

If someone else doesn't do it well, I would prefer to do it better.

The guys at echolink seem to have done a proper validation procedure, it'd be nice if they could provide OpenID authentication for others. Thanks for the tip!

K7JD said...

Hessu,

Steve Dimse, K4HG, solved this problem (sort of) for user entry to the database on findu.com by requiring an Email address containing a ham callsign.

http://www.findu.com/account.html

I don't know how automated his system is or how well it works out in practice but I can envision parsing the Email address on the form to see if it corresponds to the callsign.

Of course, this is not a total solution but it might just be enough.

73,
Joe, K7JD
Lewiston, Idaho USA

oh7lzb said...

Joe,

Sorry, I would not consider that as being any kind of authentication at all. It's just too easy to pick up someone else's callsign (from aprs.fi's pages) and register an email address for it on one of the numerous free webmail providers. Having an email address does not prove anything.

I would like to do things better, especially in places where others haven't done things really well.

Anonymous said...

It is impractical in the real world but, signup as a credit card processor and use AVS to match a users credit card mailing address to their countries HAM licensee database information. If there is a match allow the user to send if not, no play for them.

You can do AVS matching without actually charging the card or incurring charges other than the monthly processing charge. It may not be viable for a free service but it is indeed a possible solution to the problem.

Anonymous said...

Well, the people over at echolink.org have faced this very thing.

You should read their FAQ on the topic: http://www.echolink.org/faq_validation.htm to get an idea on how they do it.

I think it's the only correct way to do it.

hb9egm said...

One step of the sign-up process could ask the user to transmit an APRS message to some destination with a unique key given by the webpage.

That way, only those who are allowed to (or dare to) transmit can register. Of course, there's no guarantee that some guy who registers really is a ham, for the same reason you cannot be certain that the guy you're talking to on HF is licensed.

Just an idea...

73
Matthias HB9EGM

Andreas Weller said...

Hi!
I think the simplest, juridically and technically cleanest solution would be to use the x.509 certificates issued from ARRL for LOTW Users.
They could be imported into the OS, Web-Browser or eMail client and if properly configured automatically authenticate to your Apache Server -> you only have to check against ARRL'S root certificate...


Regards,
Andreas Weller, DF1PAW