Post

Replies

Boosts

Views

Activity

Reply to Are Keychain p12 files considered secure?
Thank you Quinn, Our context is the storage of App Store Connect Development, Distribution, and Enterprise signing certificates for use in CI pipelines. The passwords for the extra encryption step are treated in the same way as the passwords for the p12, so I think in this case it comes down to the encryption algorithms themselves and how vulnerable those are to attack and what you could do with the certs if you stole them. You are correct of course, the question "Is it considered secure" is an unanswerable open question 🤦‍♂️. So I was hoping for some expert knowledge to feed into that judgement. Maybe on the technical side "Triple DES would take a non state actor approximately 2.62 billion years to brute force with current technology", on the industry side: "Triple DES is secure until NIST says otherwise (Dec 2023)" or perhaps on the Apple side: "Distribution Certificates should be kept securely, but ultimately a rogue app submission would still have to go though App Review so you'd probably notice if someone stole your certs" But I accept it probably is an unanswerable question! Thanks
Feb ’23