Hello.
I'm trying to implement a client authorization on my server as it's described here:
The problem that bothers me is: how can I make sure that the certificate url is from Apple (and is not hacked)?
If that URL would be static and used only on my server - there would be no problem. But if a client sends this URL to server, the whole authorization procedure becomes unreliable, as all the key data couldn't be validated.
If only there would be a way to validate the downloaded certificate in some way... but I was unable to find any references of such a must-have procedure in docs.
Would be grateful for any suggestions!
