On Wed, Feb 23, 2011 at 7:38 AM, sjschultze <[email protected]> wrote:
> There continues to be some angst on the chromium bug related to > implementing cert management: > http://code.google.com/p/android/issues/detail?id=11231 yes, I created that request to funnel all the angst at myself. In the meantime, I'd like to understand the process by which root CA > certs get included into Android... both at the chromium stage and (if > there is any difference) at the carrier stage. Mozilla has an > extensive an public system for reviewing root cert inclusion > requests. What does Android do? > chromium? I think you have the wrong list. :) I've been asking for all external CA requests to go via issues at: http://code.google.com/p/android/issues/list Internally I have the CAs reviewed with our security operations team. no, its not a very public process like Mozilla, but being included by Mozilla is one positive factor in favor of inclusion in Android. If you look at all the CA requests (sorry there isn't an easy way I guess) you'll find only a couple have been rejected that I can recall, both of which were also not include by Mozilla, one because it was a goverment CA that wasn't for public sites and the other because they issued multiple CAs with the same subject name, something that neither Mozilla or Android support currently. This is the best way of viewing the current list, no? > > http://android.git.kernel.org/?p=platform/libcore.git;a=tree;f=luni/src/main/files;hb=HEAD yes, you can use a oneliner like: for f in cacerts/*; do openssl x509 -in $f -noout -subject; done to get a text list of the subject names if you are in the luni/src/main/files directory on local disk. -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
