On Wed, Mar 9, 2011 at 5:08 AM, Marcin Orlowski <[email protected]> wrote: >> That said, it would be nice if there were some way to recover from >> losing your key. > > Recover it from *your* backup. Name "private key" is not coincidencial. > What you dream of just is plain hole so if you do not backup your > vital stuff like sources and pkey then you are not just brave. You > simply beging for troubles.
'Private' meant it is not disclosed. It doesn't mean it is forever. In all public key systems (GPG, X.509), there is an option to revoke your key if it is compromised, and issue a new one to update it. The current model is far from perfect -- everyone is issuing those self-signed certificates valid for 30 years or more. So am I supposed to use that key for 30 years without updating? A determined attacker (with a lot of resources ) could crack the private key of say, Rovio, and push their own 'Angry Birds' clone, for example. The right way is to tie this to an *identity* (X.509 DN, email address, whatever), as opposed to a key. That way you can check that all those apps are issued from this person/company, regardless what key they are signed with. > >> you should be able to replace the key/certificate tied to your account. > > There's no reason for this, because you are never going to lose your > pkey in first place. > Right. Even if you have multiple distributed backups, there is still (albeit remote) possibility that all of them can be lost/destroyed. You are being overly optimistic. And yes, I do have distributed backups of my keystore. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
