igotu2gpx team mailing list archive

[rew <r.e.wolff@xxxxxxxxxxxx>]

Public bug reported:

For international cross-country paragliding (and hangliding and
sailplane) competitions GPS tracklogs are accepted as "proof" that the
submitter performed the claimed flight.

Ideally the GPS unit has a private key, that it uses to sign the tracks
downloaded. Verification programs will then use the proper publik key to
verify the signature.

In practise lots of GPS units don't have the smarts to do public key
cryptography. So the manufacturer will insert such a cryptographic
signature while downloading from the device. The "downloading program"
then signs that "it's a real track downloaded from a real device", and
that it hasn't been tampered with.

It is tricky to do this in an open source program. But IMHO it's
possible. Of course, the "public binary" must contain the private key to
the signature. The same holds for the public binary of the closed source
downloading programs.

The trick is to have the maintainer enter the private key manually when
generating official binaries. Unofficial binaries will not be able to
verify with the official check program.

** Affects: igotu2gpx
     Importance: Undecided
         Status: New

-- 
Igotu2gpx should sign the tracks it downloads. 
https://bugs.launchpad.net/bugs/397171
You received this bug notification because you are a member of
MobileAction i-gotU USB GPS travel logger Mac/Linux support developers,
which is subscribed to igotu2gpx.

Status in MobileAction i-gotU USB GPS travel logger Mac/Linux support: New

Bug description:
For international cross-country paragliding (and hangliding and sailplane) competitions GPS tracklogs are accepted as "proof" that the submitter performed the claimed flight. 

Ideally the GPS unit has a private key, that it uses to sign the tracks downloaded. Verification programs will then use the proper publik key to verify the signature. 

In practise lots of GPS units don't have the smarts to do public key cryptography. So the manufacturer will insert such a cryptographic signature while downloading from the device. The "downloading program" then signs that "it's a real track downloaded from a real device", and that it hasn't been tampered with. 

It is tricky to do this in an open source program. But IMHO it's possible. Of course, the "public binary" must contain the private key to the signature. The same holds for the public binary of the closed source downloading programs. 

The trick is to have the maintainer enter the private key manually when generating official binaries. Unofficial binaries will not be able to verify with the official check program.