wouldn't that be essentially the same as them "blessing" our framework, which is something they were unwilling to do in the first place? From what I remember, that is the entire beef they had -- they didn't want to say that our framework was worthy of an RSL, unless it went through their security review first.
-Nick On Mon, Feb 20, 2012 at 8:24 AM, Michael A. Labriola < labri...@digitalprimates.net> wrote: > >more specifically... If attacker succeeds in the above, every app that > wants to use the same library version is compromised by that browser cache > even after leaving the 'man-in-the-middle' compromised network. > > I am not going to hold my breath on this, but the way to avoid this would > be to have adobe host a minimal-sized, signed rsl, that contained our > hashes. Then we have the hashes with a level of confidence. > > Mike > >
