

About the security content of OS X Mavericks v10.9.2 - chmars
http://support.apple.com/kb/HT6150

======
atmosx
That's hilarious: _For information about the Apple Product Security PGP Key,
see "How to use the Apple Product Security PGP Key."_

From a company that has it's own email client (Mail), which doesn't support
PGP(!!!) natively and when these goodfellas[1] decided to spent their time and
write an add-on, Apple managed to break it with every update of Mail client.
Like saying "Go use Thunderbird if you want security". And now they are using
PGP to sign their stuff. Incredible.

[1] [https://gpgtools.org/](https://gpgtools.org/)

------
chmars
Discussion:
[https://news.ycombinator.com/item?id=7299287](https://news.ycombinator.com/item?id=7299287)

------
eik3_de
Does OSX have the same DoD root certs[1] as iOS?

Which new root certs came in with this update?

[1] [https://support.apple.com/kb/ht5012](https://support.apple.com/kb/ht5012)
search "DoD"

~~~
mpyne
DoD has its own smartcard-based PKI, which is what those certs are tied into.
Apple supported those smartcards natively with earlier versions of Mac OS X
(though you had to install the root certs yourself) so it wouldn't surprise me
at all that Apple is trying to make their gear "out of the box" compatible
with DoD's PKI-based web services.

Not even necessarily so that you can _use_ Mac in DoD, but so that a soldier,
sailor, Marine, airman, etc. can buy a Mac for their own personal use and
still login to those damn training sites, pay processing sites, etc.

After all, if DoD wanted to do nefarious things with a digitally-signed
something or other, they'd just buy the digital cert needed from VeriSign or
whatever today's equivalent of DigiNotar is, instead of something so
hopelessly obvious.

But don't let me interrupt the jerk.

~~~
mpyne
Also, Red Hat supports the same:
[https://admin.fedoraproject.org/pkgdb/acls/name/coolkey](https://admin.fedoraproject.org/pkgdb/acls/name/coolkey)
(CAC is the DoD "Common Access Card" smartcard...)

------
lstamour
I just noticed that CVE-2014-1266 aka "goto fail" does not have credits next
to it. The assumption then being: it was found internally?

Interesting twist... I suspect their code will get more attention in future.

------
yuhong
Looks like they still support 10.7 and 10.8, but they finally ended support
for 10.6.

