> If I as a server use your client cert to authenticate you, I can be > certain that you posses the private keys associated with your client > cert.
...unless there is a malicious process running as root on the system, in which case we must assume it has taken over the authenticated process and its data. The keys are not the true assets. The sensitive data and processes are the assets. A malicious root process on one of the endpoints subverts all security assertions. There is no way around that basic fact. There is no magic. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
