On Mon, Feb 29, 2016 at 7:09 AM, Peter Gutmann <[email protected]> wrote: > Jürgen Brauckmann <[email protected]> writes: > >>Nice example from the consumer electronics world: Android >= 4.4 is quite >>resistant against private PKIs. You cannot import your own/your corporate >>private Root CAs for Openvpn- or Wifi access point security without getting >>persistent, nasty, user-confusing warning messages: "A third party is capable >>of monitoring your network activity". >> >>http://www.howtogeek.com/198811/ask-htg-whats-the-deal-with-androids-persistent-network-may-be-monitored-warning/ > > Ugh, yuck! So on the one hand we have numerous research papers showing that > Android apps that blindly trust any old cert they find are a major problem, > and then we have Google sabotaging any attempt to build a proper trust chain > for Android apps.
Not just Android. Windows has all sorts of cool cert chain building algorithms in their APIs. But they require the certificates to be installed in the machine cert store. Which makes them totally useless for my purposes in the Mesh as the point is to give users a personal PKI with themselves as the root of trust. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
