In regards of CA value in Enterprise and traditional web app world, nobody seems to be arguing - it's all about effective certificate management: you probably know that all major browsers are per-packaged with trusted CA's public certs and I can't imagine what would you do if everybody was using self-signed certs.
In mobile world it could be the same problem, e.g. it would be much easy for an Enterprise to setup a policy that says - we want to allow all apps signed by Verisign because it checks publisher's identity well, so if there is a problem with those apps we can at least easily find the publisher and probably sue them for the damage. With Android market it's probably a lesser issue, because they require a credit card, which can be used for a publisher identification, but there are so many other uncontrolled markets and websites with mobile apps where publisher's identity can't not be easily verified. On Jan 17, 10:35 am, Brian Carlstrom <[email protected]> wrote: > On Tue, Jan 17, 2012 at 9:57 AM, Oleg Gryb <[email protected]> wrote: > > Is self-signed cert a "hard" requirement? It's kind of unusual. In my > > mindset, self-signed certs should be used in pre-prod environments > > only. The whole idea of CA is that everybody knows and trusts them and > > relies on them when something needs to be verified about a less known > > 3-rd party. It makes possible to store few trusted CA in all relying > > apps (e.g. browsers) instead of millions 3-rd parties that you might > > to connect to. > > How is the cert used and what value would using 3rd party certs add? As far > as I understand it, the cert used to identify the app author to market. how > would a CA help there? its also probably used on device to verify that > upgrades for an app come from the same author as original. the only place > it might help is tracing/verifying identity of side loaded apps, but in > Android, the various markets seem to serve the purpose for users, side > loading is mostly used by developers. > > -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
