|
|
|
|
|
|
by szc
3130 days ago
|
|
|
I designed and implemented quite lot of the LocalKDC mechanism - um, roughly about 11-12 years ago now I think. At the time it was based on the MIT version of Kerberos. When Apple switched to using Heimdal, the LocalKDC implementation was updated and it has been maintained since then - I am no longer the maintainer of this software. I haven't cashed out. As to why the LocalKDC exists? How can you do secure peer-to-peer authentication without relying on some sort of global (and broken) or private PKI infrastructure? SRP wasn't an option at the time. I am sorry you are upset. Apple is really, really serious about protecting customer data. I encourage the reading of the Apple iOS Security Guide - it describes hardware and software techniques used to protect your data. There is also the 2016 Blackhat presentation by Ivan Krstic that gives more insight into the Secure Enclave. |
|
|
I had a real bad day yesterday... my customers were freaking out about this particular issue. I recall doing some enterprise Mac rollouts back in the Tiger days and you'd see alot of changes as support for things like AD evolved.
Apple has really good communications and documentation around iOS, which comes through in the iOS Security Guide, which is probably one of the best examples of that type of documentation. That hasn't been the case with MacOS, and its mysterious evolution, which feels pretty capricious from a customer POV at times. End of the day, I get paid to turn money + labor into answers to business problems -- Mac has turned into a wildcard for me, which saddens me as I love the platform.