16:38 <Joerg-Neo900> >>When the keys are kept secret by the manufacturer of the device or the platform, the whole security model of the device is delegated to this third party. The user cannot decide of their own security model and consider potential threats based on their own situation, that may not set this third party as a fully trusted peer. Instead, the implemented security model only covers this third party's threat model, that is designed to consider the

16:38 <Joerg-Neo900> user as a threat<< http://code.paulk.fr/article26/liberating-amusing-use-cases-with-the-f60-action-camera-introduction-motivations-for-going-down-the-road

16:40 <Joerg-Neo900> O may add: and when the keys are disclosed to the user, then this whole security model has no obvious advantage over the classical user permissions model based on a root user and unprivileged nprmal users. But introduces lots of complexity

16:40 <Joerg-Neo900> I*

16:48 <Joerg-Neo900> plus such security model (disclosed key) actually *introduces new* threats compared to the classical one, since users are deceived into trusting that signature to protect them, while indeed there's prolly zilch protection when malicious hackers could get hold of the keys as well. Now when your developer trust in that signature model, they might be less diligent in implementing the classical proven models

17:51 <Joerg-Neo900> ~trust

17:51 <infobot> somebody said trust was safe, or http://www.youtube.com/watch?v=0cbS_lDJuJg