|
|
|
|
|
|
by _qulr
2051 days ago
|
|
|
> If a web cert gets revoked a browser won't accept it when making a connection to a domain/server anymore even if they previously did The difference is that you can just get a new web cert, install it on the server, and you're good to go for https. On the other hand, getting a new Developer ID cert doesn't help at all to make the app start running again. You can sign new versions of the app with the new cert, but the installed versions of the app signed with the revoked cert are still dead as a doornail, which is no good at all for your existing user base. > The main and basically almost only reason where I see developer side revocation be used is if their keys or account have been (possibly) compromised and therefore there's a chance of it being used for malware. It's not clear that this ever happens. I discussed the case of Panic in the blog post. Their private key was possibly compromised, but Apple did not revoke their cert! The old cert is still valid, and so are the old versions of their apps. Apple apparently has a more limited way of disabling apps, based on the secure timestamp of the code signature. |
|
|