On Wed, Feb 23, 2011 at 10:12 AM, Brian Carlstrom <[email protected]> wrote:
>> http://code.google.com/p/android/issues/detail?id=11231 > > yes, I created that request to funnel all the angst at myself. So let's all be nice to Brian. :) > Internally I have the CAs reviewed with our security operations team. no, > its not a very public process like Mozilla, but being included by Mozilla is > one positive factor in favor of inclusion in Android. If you look at all the > CA requests (sorry there isn't an easy way I guess) you'll find only a > couple have been rejected that I can recall, both of which were also not > include by Mozilla, one because it was a goverment CA that wasn't for public > sites and the other because they issued multiple CAs with the same subject > name, something that neither Mozilla or Android support currently. I must note that some of the CAs Mozilla trusts are quite dubious indeed. Even EV CAs mess up on basic stuff. You could use EFF's SSL Observatory as another source of input about the trustworthiness of a CA. My colleagues from EFF and iSEC have uncovered some entertaining things about CAs, and the browser trust process in general. https://www.eff.org/observatory -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
