Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- Subject: Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- From: Jonathan Hess via Fed-talk <email@hidden>
- Date: Fri, 19 Jul 2019 11:39:42 -0700
Ya, analogies often have issues. So lets skip the analogy.
Here is my question:
Assume a US government entity actually has Apple hardware on a classified
network. Now assume a contractor makes a classified app for Apple Hardware for
some US government entity. Will that application work on Apple hardware on any
appropriate government classified network?
If the answer is yes because it gets notarized, then the next question is how
is it going to get notarized -- the contractor can not send the app to Apple.
If the answer is yes because it is in the same "enterprise," how is that? A
contractor developer signing of the app would be for the "contractor"
enterprise -- this is not the same as the "government" enterprise or
enterprises.
Some contractors may provide source for the governement to compile and sign
(with a developer cert) but some may not.
So... how is this suppose to work?
> On Jul 19, 2019, at 10:39 AM, Ken Hornstein via Fed-talk
> <email@hidden> wrote:
>
>> Asking developers to send their apps to Apple for review is like Apple
>> asking end users to send their personal data through Apple if they wish
>> to send it to other users.
>
> I do not think that's a valid analogy.
>
> As I understand it the notarization service gets the binary application
> (only once, submitted by the developer), it scans the binary for
> anything malicious, and then you get your notarization ticket back
> (I'm assuming it's some kind of cryptographic signature). It wouldn't
> surprise me at all if Apple kept a copy of the binary around to scan it
> in the future for newly discovered malicious code so it could revoke the
> notarization ticket later.
>
> But the application is the same application you are distributing to all
> of your users; if you distribute your application on a public website
> then Apple's not getting anything that's not available to the entire
> Internet. If you distribute your application within a smaller community,
> such as your enterprise or to only a few users then I can understand
> why you might have a concern on what Apple is doing with your application,
> but again, all they're getting is the same application binary that is
> shared within your user community. It's NOWHERE NEAR the same as if
> Apple was requiring end users to send personal data through Apple.
>
> --Ken
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden