Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ok, I think you're referring to this:

> Specifically, the user’s device will wrap its request payload key only to the public keys of those PCC nodes whose attested measurements match a software release in the public transparency log.

But what’s stopping Apple from returning a node which lies about its “attested measurements” (possibly even to a specific user)? Whats to prevent any old machine, not running the TPM at all, from receiving a certificate?

I get that “the process is further monitored by a third-party observer not affiliated with Apple”, but I don’t know where I read their report, or even if they are still paid by Apple, so this feels like a trust-based proof.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: