Can Apple Protect its Code-signing Key
Added 2016-03-02 17:18:55 +0000 UTCJust a heads-up that I wrote a breakdown about what the top security experts are saying about Apple's ability to protect its code-signing key.
http://www.dailytechnewsshow.com/the-risk-to-apples-code-signing-key/
Hope it sheds some light on things for you.
Comments
I know I know, I’m a terrible person...
lewis butler
2016-03-14 17:26:55 +0000 UTCI hate to be that guy, but I can’t help my OCD-tendencies. Its code-signing key, Not It is code-signing key. I know I know, I’m a terrible person...
lewis butler
2016-03-14 17:26:19 +0000 UTCI find it interesting how Android is "keeping quiet" in the battle. Android has no such default level of security and also has a little discussed feature called "stealth mode". The feature in the code allows easy side-loading or corporate injection of "secret" invisible apps for logging, tracking, and other nefarious purposes. I learned of this via a podcast on security and stalking and have been following the story ever since. As someone who is very much a critic of Android I am also troubled by the simple fact that Apple appears to be the only (?) company taking a stand for me and my privacy. Blackberry hands over data frequently now, Android is not secure unless you go to extraordinary measures, and even the infosec black phones fell in 2015. Don't even get me started on the SSL/encryption environment where dotgov meddles and the projects are a giant lump of unsustainable code allowing bugs to exist for decades. I applaud Apple, but think the key point of debate is the wedge dotgov is trying to place between physical and virtual. I see no difference between my Moleskin notepad and my iPhone/device insofar as privacy is concerned. Dotgov is very ready to declare, and continues the battle making claims, that digital privacy is not a real thing. Very troubling and this is where we should make our stand. Tom, your insight is very good and I appreciate your work.
irlmarc
2016-03-02 18:50:53 +0000 UTCThanks for the heads up. Something I wrote in decided I wanted smart quotes for my links. Not smart. Fixed now!
Daily Tech News Show
2016-03-02 17:51:44 +0000 UTC@Kevin: The security behind the private key seems to be something most PKI implementations don't want to discuss. Even Let's Encrypt is a little hand-wavey about how they protect their private key.
Brandon LeBlanc
2016-03-02 17:33:39 +0000 UTCGreat write-up. The monetary value of Apple's private key shouldn't be underestimated. It has to be a very sought after target. Do you know if they use different keys for different versions of iOS? I wonder what safeguards Apple (or any other major company) has in place to protect their private keys from rogue employees.
Kevin Douglas
2016-03-02 17:29:00 +0000 UTCGreat write-up Tom! The Zdziarski link is broken (improperly quoted, escaped, or something). Edit: It appears all the links in that article are broken.
Brandon LeBlanc
2016-03-02 17:28:25 +0000 UTC
