Comment by gruez
4 years ago
Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.
4 years ago
Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.
If your Mac is unambiguously offline it fails open. What it's handling poorly is the fail-slow case.
Ugh. IMO the network should not be on the critical path to running an executable.
Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.
I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.
There really aren’t any good solutions to this unless you can solve the cache invalidation problem.
The OP literally says if you disallow connection or unplug the intenret it does fail open.
I think it's probably an unintended bug that this failure mode was fail-closed.
The costs of this unintended bug are going to be huge to Apple's reputation, as demonstrated in this whole HN thread, where many assuming what's going on is even WORSE than it really is.
(Personally I think having signed certs (with opt-in ability to run unsigned apps, as MacOS has) is fine. And fail-open OSCP revocation check is also fine-ish, although it would annoy me if it's making it slower to launch apps on the regular. The problem here is a bug, not one of design. But most of this thread is assuming Apple was doing something different than this. Of course, how often a company produces fairly catastrophic bugs is also on them).