Comment by conradev
5 hours ago
Attesting that a closed source device meets arbitrary closed source standards is a necessary evil.
One real world problem is that some existing systems are built relying on the integrity of the components within, i.e. BART in the bay area relies on the BART cards being honest and secure. If iPhones are to be allowed into the system, they also have to be honest and secure.
The capability is being over-used and abused, and we should design systems to never need it, but some do.
> If iPhones are to be allowed into the system, they also have to be honest and secure.
This describes a 1:1, total-trust relationship. There are other types of systems fulfilling the requirements without needing a 1:1, total-trust relationship.
For example, the main requirements here are: The account succeeds at making requests it is allowed to make, and the account fails at making requests it is not allowed to make. Both those requirements can be fulfilled entirely server-side, and should be. Why require the client to be locked down?
> Why require the client to be locked down?
It is hard and likely expensive to require every single reader in every single city to be networked:
> Because Clipper operates in multiple geographical areas with sporadic or non-existent internet access, the fare collection and verification technology needs to operate without any networking. To accomplish this, the Clipper card memory keeps track of balance on the card, fares paid, and trip history.
https://en.wikipedia.org/wiki/Clipper_card#Technology