> You don't trust a signer, you trust an author/source with best practice > being checking and building apps from source and self-signing an app or > checksum with your own offline key. Trust no-one especially not big > companies that do fsck all and have employees that use their date of > birth as their password for everything and can be a stepping stone > (RSA, Google, CAs, dumb sh*t (easily avoided), but there you go). > > Self signed is not a questionable practice, you just have to verify the > apps particular key is safe, this is far more secure. What are you > trying to do, something GENERIC rather than specific? >
There are 180M websites in the world. Do you suggest to put 180M self- signed certificate to a browser? Good luck with that and with implementing CRL logic around it. There are 500,000 android apps, the number of publishers is probably smaller, but still I would not want to deal with each and every self- signed certificate trying to understand if: 1. I want to trust it 2. If it's associated with a malware 3. If its private key has been compromised Thanks, but no, I don't want to be in this business. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
