In this case it makes sense, the key is a "private key" in the cryptographic sense, but it's not "private" in regards to the pypush app, it's needed for the app to work, so it needs to be public information or else the app would be useless for anyone who didn't have that key.
Because "private" here is regarding the cryptography and not regarding the disclosure? How are users supposed to obtain this key to use the service without it being published?
We have to eventually ban accounts that keep breaking the rules like this. I don't want to ban you, so if you'd please review them and stick to them from now on, we'd appreciate it.
This is a private key to access Apple's service for a proof of concept. How is someone without access to an Apple device going to obtain such a key without it being distributed somehow?
Nobody is surprised that Apple is able to revoke this key, by the way.
Please make your substantive points without swipes (like "What are you talking about" and "your schtick"), no matter how bad another comment is or you feel it is.
In fairness the dev is a 16 year old. It’s still bad practice but this is a minor mistake all things considered compared to most programming projects by people of that age
Perfectly understandable, at that age I only had the vaguest notion of how cryptography works.
Unfortunately, nobody else seems to either, which is why my comment is getting downvoted.
"Why is this a problem?" say people when the publishing of a private key is inherently the wrong thing to do, and will always lead to a bad consequence.
It doesn't matter who's key it is, how it was generated, how it was obtained, etc...
The purpose of private keys is to be kept secret. A published private key by definition is worthless. That will have a consequence. Either it'll be make-believe fairytale security, or someone else getting into your product, or what happened here: the third party who's keys were stolen changed the locks.
Meanwhile I'm at -4 and clocking down because people struggle to understand how keys and locks work, never mind cryptography.
The repo is a proof of concept. The key provided is used for illustration purposes and worked for the proof of concept. Nobody believes Apple would not revoke that key. But you don't need to talk down to the author for their age like this when they've made clear this is a proof of concept.
Plus it lets people decrypt media encrypted by that key that they might otherwise have been unable to.
So we've established that a "private key" that is no longer private may still have uses to some people, it is not wholly "worthless."
Do you want to revise your earlier statement about the private key in the repo in question? Is it "worthless"? Is it a security problem? Do you know what that key is being used for?
> how publishing a private key makes the slightest bit of sense.
From what I gather, the private key was private until it was leaked to / stolen by the team who published it for this use case.
I don't have enough context to say, because I have to admit that once published, the keypair corresponding to the private key is likely to be revoked/discarded.
> the keypair corresponding to the private key is likely to be revoked/discarded.
That's precisely it! Publishing a private key -- anyone's -- invalidates the security of the private-public key pair, making it worthless as security.
There's going to be some consequence to this, such as the third party "changing the locks" and locking out you, or your users.
Similarly, it might allow hackers to intercept the comms, break into your code, or whatever.
The essential, fundamental point I'm trying to get across here is that it never ever makes sense to publish a private key, and then rely on it for any purpose.
I guess it would have been more difficult for Apple to find the key/device ID used in this scheme had these not been available on the first few pages linked by a lot of articles claiming iMessage is broken.
Had this not been publicly posted, someone would've been forced to at least open a log file.
