[cryptography] code signing a nuisance?

Chris Palmer snackypants at gmail.com
Wed Sep 21 02:59:17 EDT 2011


Please look into how code signing on Android works and what it means. It's
not what you think — there are no CAs. By making their signing key public,
if that's what they do, Cyanogen out their users at huge risk: any third
party app can take any System or SystemOrSignature permission, or
impersonate the system directly.
On Sep 20, 2011 11:52 PM, "M.R." <makrober at gmail.com> wrote:
> On 20/09/11 21:48, Peter Gutmann wrote:
>> ...to sign their code.
>> ...I get the impression they see
>> security as a nuisance to be bypassed rather than a real requirement.
>>
> I'd like to assure you that code signing and the associated need
> to buy a certificate service from a third party is viewed as a
> "nuisance to be bypassed" by a great majority of independent
> software vendors.
>
> Nobody is happy to see ~his~ product, which he ~knows~ presents
> no threat to his customer, encumbered in both the construction and
> the distribution to such a level in order to protect the buying
> public from ~someone else's bad product~. It's "business 101" really.
> And like always, the smaller the product, the more of a nuisance
> this becomes. And like always, "the regulator" just wouldn't
> admit that the regulation is an ill-conceived measure, which
> encumbers the producer and does not really solve the problem that
> was used as an excuse to introduce it in the first place, mostly
> for the hidden "fringe benefits" that it brings to the regulator.
>
> Mark R.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110920/6f98f3ce/attachment.html>


More information about the cryptography mailing list