[cryptography] How are expired code-signing certs revoked?
nico at cryptonector.com
Thu Dec 8 11:12:00 EST 2011
On Thu, Dec 8, 2011 at 9:26 AM, Darren J Moffat
<Darren.Moffat at oracle.com> wrote:
> On 12/08/11 03:27, Nico Williams wrote:
>> You misunderstand. The Android code signing model isn't intended to
>> protect you from installing malware: it's intended to help Android a)
>> provide isolation between apps from different sources, b) protect your
>> apps from untrusted updates.
> Android gives you hints about what a given APK might be upto by telling you
> *before* you agree to install it what permissions it wants.
Indeed, but this has nothing to do with Android's signature model.
Signatures are there for continuity.
> I've rejected several otherwise interesting sounding (probably legit) apps
> from the Google Market because the list of permissions looked excessive to
> me based on what that apps claims to do.
And when every app you want [eventually] wants complete free range,
what do you do? Android should at least let the user reduce the
privileges of paid-for applications -- the current situation is
More information about the cryptography