On Mon, Apr 12, 2010 at 2:47 PM, Djakona <[email protected]> wrote:
> - One thing I cannot fail to notice is that the certificate can be > self-issued (i.e. not from a trusted CA). I can use any CN and issuer > in the certificate I create that can also infringe copyrights of other > companies. How does Google control that? From a user perspective, > what's the real 'company X' certificate vs. somone posing to be from > 'company X'? > We only use certificates for verifying that the author of two .apks is the same. Thus self-signing is fine. This is a feature. > - The certificate validity is requested to be at least "after 22 > October 2033" so seamless application update can be performed, further > "A validity period of more than 25 years is recommended." - with any > PKI best practices in mind who'd create a signing certificate with > valid for 25 years? For application updates it seems that the key is > being validated during the upload and if matched application update is > allowed - can someone comment more what's invloved here please? Is > there any certificate validation for expiry date happening on OS > level? What actually drives the requirement for 25 years validity? > These are not web certificates, they are used to verify that the same .apk can from the same author. The only validation is that the cert is proper and exactly matches the other app's cert it is being compared against. -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- To unsubscribe, reply using "remove me" as the subject.
