- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Mon, 18 Nov 2013 00:18:39 +0100
- To: Mike Belshe <mike@belshe.com>
- Cc: httpbis mailing list <ietf-http-wg@w3.org>
* Mike Belshe wrote: >And I'm pointing out that Apple does exactly this for a very large >population of developers. I believe wholeheartedly that if 1M app >developers can figure out how to get and maintain a cert, so can 1M website >creators. You have to admit that the top-1M websites and the top-1M apps >have a very high overlap too. :-) Is it necessary to install these Apple developer certificates online on a shared hosting system? Do these certificates get revoked when a local user privilege escalation vulnerability is discovered in the operating system used? What happens when malware is discovered that is designed to exfiltrate these certificates from developer machines or servers? Not being able to make apps for computer systems with below 10% market share is not a great loss, but once web browsers no longer connect to insecure sites for security reasons, where would dissident groups get their certificates from? Where would I get one from if I want to inter- cept what Example Browser is sending to example.com? -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Sunday, 17 November 2013 23:19:09 UTC