But you can know whether a CRL is valid, provided Apple's own CA hasn't been com... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		chalst on Nov 4, 2011 \| parent \| context \| favorite \| on: Real Security in Mac OS X Requires Apple-Signed Ce... But you can know whether a CRL is valid, provided Apple's own CA hasn't been compromised. If Apple were to issue a complete CRL every 6 hours or so, then man-in-the-middle filtering won't work since clients can simply not trust any new signatures until they have seen the current CRL. So the man-in-the-middle attack can keep the client ignorant of the contents of the CRL, but can't trick the client into believing a revoked certificate has not been revoked. SSL is a red herring here, since we care about authenticity, not privacy.

pyre on Nov 5, 2011 | [–]

Also...

  > provided Apple's own CA hasn't been compromised

We've been seeing this happen a lot lately, so that's a big assumption.

pyre on Nov 4, 2011 | [–]

I was mostly commenting on the first paragraph in relation to the web, not specifically about Apple using certificates.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact