On Tue, Jan 17, 2012 at 9:57 AM, Oleg Gryb <[email protected]> wrote:
> Is self-signed cert a "hard" requirement? It's kind of unusual. In my > mindset, self-signed certs should be used in pre-prod environments > only. The whole idea of CA is that everybody knows and trusts them and > relies on them when something needs to be verified about a less known > 3-rd party. It makes possible to store few trusted CA in all relying > apps (e.g. browsers) instead of millions 3-rd parties that you might > to connect to. > How is the cert used and what value would using 3rd party certs add? As far as I understand it, the cert used to identify the app author to market. how would a CA help there? its also probably used on device to verify that upgrades for an app come from the same author as original. the only place it might help is tracing/verifying identity of side loaded apps, but in Android, the various markets seem to serve the purpose for users, side loading is mostly used by developers. -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
