[EAS] FCC versus FEMA authority to require digital signatures
Sean Donelan
sean at donelan.com
Thu Apr 29 16:09:45 CDT 2021
While it is correct, FCC does not mandate alert originators use digital
signatures; the FEMA IPAWS system rejects unsigned CAP messages from
alerting authorities
Warn.PBS.ORG passes through the CAP signature as part of its national
over-the-air digital subchannel. WEA/CMAC messages are a little weird, and
validated through their own private channel.
This may just be one of those weird inter-agency authority issues.
FCC doesn't regulate government Alerting Authorities. FEMA doesn't
regulate industry Alert Disseminators. As joint managers, FCC and FEMA
should coordinate with each other, and their respective stakeholders.
The practical effect, outside of lab testing which you should know what
you are doing, IPAWS CAP messages are always signed since 2019.
The CAP digital signature does not validate the linked audio file.
Extremely small risk. I can exploit it in a lab setting, but very
difficult to exploit in the real world. But its one of those unfinished
things, i.e. how are EANs streamed?
More information about the EAS
mailing list