<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">On Nov 6, 2014, at 8:09 AM, Mike Hearn <<a href="mailto:mike@plan99.net">mike@plan99.net</a>> wrote:<div><br><div><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">Alright, let me clarify my statement a little bit - iMessages meets (1) assuming you decide to actually use it in that way, and I think it's reasonable to assume that people understand "backing up my messages to Apple" means Apple gets to read them. I'd be surprised if that caused real users any confusion.</div></div></div></blockquote><div><br></div>I don't have an iPhone I can test this on; can anyone corroborate this?</div><div><br></div><div>My recollection is during the setup Apple doesn't tell users that by choosing to use iCloud their messages will be readable to Apple (and anyone with access to Apple).</div><div><br></div><div><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">I don't think an app should be dinged for not being fully end to end out of the box</div></div></div></blockquote><div><br></div>If the statements being made is that it is "fully end to end" (Apple is claiming this), then it seems reasonable to ding them on it.</div><div><br></div><div><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">If resistance against malicious providers giving you bogus software is a requirement to be considered end to end then no such technology has ever been successfully deployed</div></div></div></blockquote><div><br></div>That seems like a different bar to me, and it's not the bar I'm holding Apple to.</div><div><br></div><div>I think the most that can possibly be expected here is that the source is open and that the binaries are signed by the developer who authored them.</div><div><br></div><div>If we consider that, then we actually have several real-world examples:</div><div><br></div><div>- All open software that uses Sparkle: <a href="http://sparkle-project.org">http://sparkle-project.org</a></div><div>- Mozilla Firefox add-ons</div><div>- Possibly Chrome add-ons (would need to double-check)</div><div><br></div><div>These bits of software are bundled with the public key of the individual vendor, and software updates are signed by the vendor themselves. So if you trust the author of the software to not be malicious (and in the case of open source software, there is good reason to), then this seems reasonable and sufficient to me. But Apple isn't doing this either.</div><div><br></div><div>Kind regards,</div><div>Greg Slepak</div><div><div>
<br class="Apple-interchange-newline"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">--</span><br style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">Please do not email me anything that you are not comfortable also sharing</span><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"> with the NSA.</span>
</div>
<br></div></div></body></html>