On Feb 23, 2011, at 2:32 PM, Chris Palmer wrote:
On Wed, Feb 23, 2011 at 10:12 AM, Brian Carlstrom <[email protected]>
wrote:
Internally I have the CAs reviewed with our security operations
team. no,
its not a very public process like Mozilla, but being included by
Mozilla is
one positive factor in favor of inclusion in Android. If you look
at all the
CA requests (sorry there isn't an easy way I guess) you'll find
only a
couple have been rejected that I can recall, both of which were
also not
include by Mozilla, one because it was a goverment CA that wasn't
for public
sites and the other because they issued multiple CAs with the same
subject
name, something that neither Mozilla or Android support currently.
I must note that some of the CAs Mozilla trusts are quite dubious
indeed. Even EV CAs mess up on basic stuff.
You could use EFF's SSL Observatory as another source of input about
the trustworthiness of a CA. My colleagues from EFF and iSEC have
uncovered some entertaining things about CAs, and the browser trust
process in general.
https://www.eff.org/observatory
Yes, there are problems with the CA trust model in general, and I too
dispute some of Mozilla's decisions (and I participate in their
vetting process). We had Peter from EFF on a panel related to his SSL
Observatory work (as well as the larger issues) last year:
http://citp.princeton.edu/events/emerging-threats-to-online-trust/
The fact that the Mozilla process is open is however a point in its
favor. Ultimately, users are the ones who have to "trust" the list
anyway, and inviting them into the process and keeping that process
transparent seems like a good feature. I would suggest the same thing
for Android.
Giving users the ability to customize their own root CA lists in
addition is a further improvement, and probably necessary for anybody
to take Android seriously in the enterprise market (not to mention
giving retail customers more control over who they trust). Each user
has different trust tolerances, and trusts different entities
differently... but of course that's where all that angst on the bug is
coming from.
Steve
--
You received this message because you are subscribed to the Google Groups "Android
Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
