On Fri, Jul 3, 2009 at 1:33 PM, Michael Ash<michael....@gmail.com> wrote: > In addition to what the others have said, you should think seriously > about how useful obfuscation will be.
There might be an argument here about protecting trade secrets. If you don't defend them, they lose their protected status. The biggest threat to Ammar's product seems to be an insider attack. "What You Know" security is not going to be useful here, since everyone will have shared access to roughly equivalent knowledge. "Who You Are" level security is going to be tough to implement in this situation. That leaves us with "What You Have." The best solution might be to have a server process running on a box outside of the user's control, and have the client machines depend on certain functionality provided by the server. You can generate a key for each client, stick it on the client's keychain, and use that to authenticate any messages transferred between the client and server. This gives you the opportunity to revoke a rogue client's key, which will cripple the client since it depends on the server for functionality. I only recommend this approach if you are providing this software on a licensed, contractual basis. From my ethical perspective, customers of buyout software should not be subject to such treatment. --Kyle Sluder _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
