True, but it didn't make much difference, since the reports from the thread showed it had a bizarrely short cache time.
>the server didn't keep any logs
Well, that's the rub isn't, it? Part of privacy-centric design is that you shouldn't have to risk such information being exposed or trust such reassurances; if they don't need the information, they shouldn't get it at all. There are privacy-respecting ways to do what they wanted to, which are also more efficient. For example, periodically update the machine's local revoked cert list, and check signatures against that (as several users recommended).
>etc
Was there anything substantively different from my characterization?
Short retention according to who? That server only? No copies to the NSA? I’m a trust but verify kind of guy and with just the word of Apple I assume somebody is keeping the data and using it in some way.
Agree with such skepticism but what are you replying to there? My comment was saying that it cached the cert check for a bizarrely short time (necessitating frequent network calls), not that the logs were retained for only a short time, which I agree is a bad defense.
True, but it didn't make much difference, since the reports from the thread showed it had a bizarrely short cache time.
>the server didn't keep any logs
Well, that's the rub isn't, it? Part of privacy-centric design is that you shouldn't have to risk such information being exposed or trust such reassurances; if they don't need the information, they shouldn't get it at all. There are privacy-respecting ways to do what they wanted to, which are also more efficient. For example, periodically update the machine's local revoked cert list, and check signatures against that (as several users recommended).
>etc
Was there anything substantively different from my characterization?