HTTP is specified in the RFC. Only the developer certificate is checked. OCSP is... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		athms on Nov 25, 2020 \| parent \| context \| favorite \| on: macOS has checked app signatures online for over 2... HTTP is specified in the RFC. Only the developer certificate is checked. OCSP is also used by web browsers to check the revocation status of certificates used for HTTPS connections. Apple leveraged OCSP for its Gatekeeper functionality. This is not the same thing as notarization, which is checked over HTTPS. https://blog.jacopo.io/en/post/apple-ocsp/ Perhaps you should learn about OCSP before complaining about its use of HTTP.

samatman on Nov 25, 2020 [–]

Vendors MAY use TLS, and Apple didn't (though they say they'll start).

You might want to read the RFC, rather than a blog post about it, before making such confident pronouncments.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact