Right. The idea of re-signing the image is one such protocol.
You don't need the handshake/resigning to restore the phone to factory condition. You only need it if you want to restore a good OS image *and* preserve user data. I guess that counts as increased support cost.
-- Alan
I can imagine it's more difficult to design it that way, because what's being discussed is a surprisingly narrow threat model (a "special case").
My interpretation is Apple noticed everyone making this specific point. A point people make because it's a direct implication of the more detailed explanations you read in the media. So Apple wanted to have an answer (for the future, obviously not as an argument in the current legal case). This is the only answer I've seen from them; that they're looking at a technical patch for the specific threat model.
It seems like the point you wanted to make is for stronger threat models, closer to http://arstechnica.co.uk/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/ . [Not that I understand much apart from the title in that article, I just think that's a relevant point to discuss].
In this case I still don't think it helps to re-sign Apple images. They'd have to be public images (ala TLS Certificate Transparency) that we know are safe e.g. reproducible builds of source code which is subject to independent scrutiny. IOW you need an open source OS.
Thus the evil nature of locking owners out from controlling their hardware. Preventing open source system software being developed, because that doesn't match their real goals. Which is what you wrote, but I found it hard to work out as written, and whether we're actually disagreeing on anything.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: A valid thought experiment
Date: 2016-02-27 06:28 pm (UTC)You don't need the handshake/resigning to restore the phone to factory condition. You only need it if you want to restore a good OS image *and* preserve user data. I guess that counts as increased support cost.
-- Alan
I can imagine it's more difficult to design it that way, because what's being discussed is a surprisingly narrow threat model (a "special case").
http://www.nytimes.com/2016/02/25/technology/apple-is-said-to-be-working-on-an-iphone-even-it-cant-hack.html?_r=0
My interpretation is Apple noticed everyone making this specific point. A point people make because it's a direct implication of the more detailed explanations you read in the media. So Apple wanted to have an answer (for the future, obviously not as an argument in the current legal case). This is the only answer I've seen from them; that they're looking at a technical patch for the specific threat model.
It seems like the point you wanted to make is for stronger threat models, closer to http://arstechnica.co.uk/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/ . [Not that I understand much apart from the title in that article, I just think that's a relevant point to discuss].
In this case I still don't think it helps to re-sign Apple images. They'd have to be public images (ala TLS Certificate Transparency) that we know are safe e.g. reproducible builds of source code which is subject to independent scrutiny. IOW you need an open source OS.
Thus the evil nature of locking owners out from controlling their hardware. Preventing open source system software being developed, because that doesn't match their real goals. Which is what you wrote, but I found it hard to work out as written, and whether we're actually disagreeing on anything.