Please re-read what I wrote. I posited that killing an app's cert is equivalent, in terms of the majority of users, to removing an iOS app from the store. And they have removed apps for all sorts of reasons, so there is significant enough of an *equivalent* precedent here to be concerning.
I understand what you’re saying; you are claiming absent the editorial approval on the iOS/Mac App Store, Apple will use a security feature for de-facto editorial control/censorship. But that conclusion requires a leap in logic, i.e. the slippery slope fallacy, as there is no precedent on the iOS App Store for Apple utilizing a security feature to exert editorial control. In fact the opposite is true, consider Apps that have been pulled from the App store for copyright or TOS violations. Apple has the legal right and technical capability to remove those Apps from a users device, but they haven’t.
Beyond the leap in logic though there are far more practical issues. Signed certificates operate on trust, at their most basic level developers trust Apple, users trust Apple, therefore a user can trust any developer Apple trusts. If Apple breaks that trust with the developer community then the whole concept of GateKeeper is ruined. Developers will simply drop the certificate program or the Mac platform altogether. Those developers who choose to stay will have step-by-step instructions on their web site detailing how customers can change their security settings, just like today when an App requires a little more than a simple DMG. The very existence of the MacDefender tojan is evidence users are willing to circumvent security for something they think they want.
Apple doesn't need to revoke the cert; they just need to flag it in their database. I don't know how Gatekeeper manages certs, but I assume it keeps a local database of valid certs, and then phones home to Apple every so often to make sure none of them have become invalid. So, in my 3rd party example, they'd only need to flag a cert in their database and it would be just as blackballed as if they had revoked their own cert.
Yes they do, certificate revocation is an essential feature of signed certificates, without it you might as well just have developers submit checksum data and some sort of UNID. Without revocation certificates are susceptible to man-in-the-middle attacks. Without revocation privileges, the trusted third party (Apple) has no power and by definition cannot be trusted.
Beyond eliminating a fundamental requirement of signed certificates, introducing a fourth party adds an additional and unnecessary layer of insecurity. As I detailed above developers trust Apple, users trust Apple so users trust the developers Apple trust. In your scenario that agreement changes, Apple would in essence be saying “Trust me, I trust this CA and they trust the developer.” That’s skeptical just based on degrees of separation. Even more troubling though is it hands a critical amount of power to a fourth party. How can Apple know the CA is going to be in business next year or their servers online to verify certifications? How do they know there aren’t nefarious individuals working there, or their security has been compromised? And before you say those are flights of fancy, look at Comodo, just last year they were seriously compromised and false certificates were issued for google.com and mozilla.com
Take a look at the conclusion a Tor contributor drew from the Comodo attack:
The browsers chose a user privacy invasive stance without the user protecting security properties. They did this because they claim that CAs are unable to provide working OCSP/CRL systems for request handling. This is a fair claim if true but it must not stand any longer. If the CA cannot provide even a basic level of revocation, it's clearly irresponsible to ship that CA root in a browser. Browsers should give insecure CA keys an Internet Death Sentence rather than expose the users of the browsers to known problems.
(emphasis mine)
https://blog.torproject.org/blog/de...thority-compromises-and-web-browser-collusion
Bottom line when dealing with security the fewer people you have to trust the more secure you are.
