Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- Subject: Re: [Fed-Talk] [EXTERNAL] ATO for Notarization?
- From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>
- Date: Fri, 19 Jul 2019 19:29:13 +0000
- Thread-topic: [Fed-Talk] [EXTERNAL] ATO for Notarization?
On 7/19/19, 3:12 PM, "Noam Bernstein via Fed-talk" <email@hidden>
wrote:
> Is there any reason to think you won’t be able to add Gatekeeper
> exceptions (as now achieved
> by shift-click and selecting Open, or some command line equivalent) for
> un-notarized applications
> in the future? Docs I’ve seen say notarization “will be required by
> default”, not “will always be required”.
We don't know that, do we?
The concern is that Apple would make it "all or nothing" - either disable the
Gatekeeper altogether, or submit your pockets to inspection. So, if I want to
keep using Apple platforms - I'd have to *lower* my security posture compared
to what it is now, because there's no way I'd be allowed to send my code
(source or binary) to a non-government 3rd party even if I wanted to - which I
don't.
> If you don’t want to ship you application to apple to notarize, you can’t
rely on their service (gatekeeper) to keep you safe.
If you rely on "their service" to keep you safe - I have a very nice bridge for
sale. <half-smile>
But I *do* want the Gatekeeper to intercept unsigned apps and apps with broken
signatures - but I don't want (and am not allowed) to relegate the
responsibility to Apple, or share with Apple our proprietary code.
On our machines, Gatekeeper is configured to honor our internal
(not-Apple-issued) certs. If this is replaced with "notarization", I may have
to change platform. 'would be a pity.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden