[CQ-Contest] L.O.T.W.

Joe Subich, W4TV k4ik at subich.com
Wed Jul 27 01:46:36 EDT 2005 

Bill writes, 

> If the LoTW security method is better, why don't the banks use it?
> 
> Conversely, if the bank's security method is both simpler and 
> adequate, why doesn't LoTW use it?

Bill, you still don't understand ... they are the same method.  The 
only difference is where the user certificate resides. 

Just today I was working on a new e-commerce site.  The process to 
get an SSL certificate and install it (in order to be able to 
process credit card transactions) is identical to the LotW set-up. 
   1) the applicant has to "prove" who he is
   2) the certificate issuing "authority" has to investigate the 
      applicant and confirm the applicant is who he says he is 
      (and, in some cases, do a through credit and background check)
   3) the applicant needs to provide specific information on the 
      server to be certified (the one on which the certificate will
      be installed) 
   4) the certificates have to be generated 
   5) the certificate must be installed 
   6) the system must be tested and certified 

At this point, YOU can log in and generate a credit card transaction 
(or in the case of a bank/brokerage conduct your business).  You 
prove to me that you're who you say you are when I process your 
credit card number and security ID and the gateway returns an 
authorization code ... I need to prove to the card processor that 
I am who I say I am by having that SSL certificate installed and 
encrypting (or signing) the data.  

Again, the security and authentication for LotW is no different 
than all the other banking, e-commerce and secure database sites.  
If you have well written logging software, the process is completely 
transparent once the LotW certificate is issued,   

Could LotW have been designed to accept an unsigned ADIF upload 
if you were logged into an https:// server?  Probably.  However, 
by placing the certificate on the user's computer and using it 
to "sign" the ADIF before uploading, you now don't even need 
to log in to upload data ... a DX station without access to the 
internet can sign an ADIF file and put it on a disk for someone 
else to upload or e-mail (snail mail to a QSL manager).  

The current system is actually MORE flexible and MORE user-
friendly than the typical bank/broker or other e-commerce site. 
What you see with your bank/broker is equivalent to entering 
one QSO at a time with LotW.      

73, 

   ... Joe, W4TV

More information about the CQ-Contest mailing list