[lifty]

I agree that app signing is good, but I disagree that we have to give in and accept the potential risks of fully trusting Apple. I think there is a practical middle way that protects non-technical users without usurping their privacy, and also a way to give same extra control to power users. I think it's fairly straightforward:

- instead of OCSP use CRLs or a better technique that allows MacOS to verify locally if a certificate is valid. This would preserve user privacy and wouldn't risk slowing down the user's computer in case things go wrong. It would also introduce slightly bigger risk because of the increase in the validity window, but I think that's a price worth paying. Regarding the size of the CRL's, there should be some cryptographic techniques like accumulators, bloom filters etc. that could improve the size.

- allow power users to add separate trust anchors in cases where they deem appropriate. The same way you go to Control Center to allow an app that was downloaded from the Internet to run, you could also be allowed to add another certificate from a developer you trust.

I think these 2 improvements could go a long way in restoring goodwill for Apple.

[gastonc]

It all comes down to configuration/choice. Its not bad to have OSCP to improve security, but there should be a simple way to turn it off (without those /etc/hosts or similar hacks).

[lifty]

But I don't want to turn it off. I want to benefit from checking the revocation list without sending my data to Apple on every app start, even if I am vulnerable for a few hours, until my computer syncs the revocation list. I want a middle way, not an ON or OFF button.

[ArchOversight]

As this article here: https://blog.jacopo.io/en/post/apple-ocsp/ showcases, Apple doesn't send "my data" on every app start.

It sends a hash of the certificate in use to Apple, which happens to be an Apple certificate that is used to sign many applications running on your system.

None of your data is being sent to Apple.

[xvector]

Mapping developer certificates to apps is trivial. If you’re launching a Guardian Project app, for example, it’s almost certainly Tor.

Given the presence of the NSA and their ability to send NSLs or FISA warrants, this information should not be hitting the Apple network. A CRL would have been a perfectly acceptable solution.

[pseudalopex]

Even the fact that I opened an app is my data.

Responses were cached for 5 minutes.[1] That's effectively checking every time.

[1] https://news.ycombinator.com/item?id=25096307

[lifty]

So it’s slightly less worse than sending the hash of the app. Still very bad. And as I said previously, depending on a network call to start any app is not ideal.