Hi, I just read through the archives and Dianne answered where we currently are, but I'm not sure that's a very good place. When signing an app, it appears that the platform is doing, essentially, a leap of faith kind of signing key trust ala SSH. That is, if i've never seen a key/name binding before, save it in my keystore and never allow others using the same name to use my namespace.
That's fine until you have to revoke a key for whatever reason. In my particular case, it's because I wanted to clean up the self-signed cert I made with keytool because I made mistake in it, but there are *many* *many* valid reasons why a cert might need to be revoked, not the least of which is that somebody else got your signing key even though you stored it in a nuclear bunker, blah, blah, blah. First, what I don't understand is what name space is actually be covered by the signing cert. is it just for com.example.app, or is it for com.example (which is normally what you'd put in your cert), or what? I suspect it's for the entire O= namespace which means, oh say, that if O=ibm.com need to revoke a cert.. it would need to find an entirely new namespace other than ibm.com to migrate all of its apps? Some clarification here on what the platform actually does, and what the mitigation steps are necessary would be helpful. I'm afraid, however, just telling people to not be human is not an especially helpful mitigation strategy, especially at the very early stages of adoption. Mike PS: my first thought is that if you uninstall every ibm.com app, you should be given the ability to completely nuke it from the keystore or something like that so that when you reinstall that it does a new leap of faith. Not being able to nuke the leap of faith keystore invites poisoning attacks by malicious apps if nothing else. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
