Comment by habosa

4 years ago

Ok so let's say you actually want Apple to do this kind of security for you (I don't, but let's say).

Currently they do a synchronous check before you launch any binary.

Why don't they instead just log every binary signature and check them async on some regular schedule? Strict mode could be blocking the FIRST execution of a binary signature and after that you only recheck if that signature has been revoked on some regular interval.

There's absolutely no good reason why an app which I've run 100 times needs to phone home before running the 101st time.

3 comments

habosa

Reply
Spivak  4 years ago

This is already how it works. After the first check the result is cached and then it can verify locally.

  • nvrspyx  4 years ago

    This is how it worked. The point of the tweet and others' experience is that this is now happening for apps that have already been launched plenty of times before. This is why nothing other than Apple's programs would launch during the short time that the OCSP was down.

    • SkyPuncher  4 years ago

      > this is now happening for apps that have already been launched plenty of times before.

      Have they launched the same executable before, though?

      I have a lot of automatic updates. I doubt week-to-week or day-to-day, even, the signature of the programs I run are the same.