Re: Peer-to-peer SSL/TLS best practices/strategy
Re: Peer-to-peer SSL/TLS best practices/strategy
- Subject: Re: Peer-to-peer SSL/TLS best practices/strategy
- From: Jens Alfke <email@hidden>
- Date: Wed, 12 Dec 2012 15:48:53 -0800
On Dec 12, 2012, at 2:30 PM, John Pannell < email@hidden> wrote: Q: What do I embed in the app, and how do I package it? Do I put both the cert and the private key in a .p12 file and keep it in the app bundle?
Never embed a private key in an app. The app bundle is not private; it’s quite easy to poke around inside and extract files, even of iOS apps.
As Quinn said, every instance of the app has to have its own unique key-pair, so it has to be created a runtime.
In addition to the hybrid approach Quinn suggested (which isn’t fully P2P), you can also generate a key-pair in the app itself using the Security framework APIs, probably on the app's first launch. The private key will end up securely stored in the device Keychain where it’s not feasible to extract it. The issue then is establishing identity and trust, since another peer encountering the app’s cert for the first time will have no way to know who it is. (The advantage of Quinn’s approach is that you have a centralized server that the app can put trust in.)
—Jens |
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden