[cryptography] code signing a nuisance?
snackypants at gmail.com
Wed Sep 21 02:59:17 EDT 2011
Please look into how code signing on Android works and what it means. It's
not what you think — there are no CAs. By making their signing key public,
if that's what they do, Cyanogen out their users at huge risk: any third
party app can take any System or SystemOrSignature permission, or
impersonate the system directly.
On Sep 20, 2011 11:52 PM, "M.R." <makrober at gmail.com> wrote:
> On 20/09/11 21:48, Peter Gutmann wrote:
>> ...to sign their code.
>> ...I get the impression they see
>> security as a nuisance to be bypassed rather than a real requirement.
> I'd like to assure you that code signing and the associated need
> to buy a certificate service from a third party is viewed as a
> "nuisance to be bypassed" by a great majority of independent
> software vendors.
> Nobody is happy to see ~his~ product, which he ~knows~ presents
> no threat to his customer, encumbered in both the construction and
> the distribution to such a level in order to protect the buying
> public from ~someone else's bad product~. It's "business 101" really.
> And like always, the smaller the product, the more of a nuisance
> this becomes. And like always, "the regulator" just wouldn't
> admit that the regulation is an ill-conceived measure, which
> encumbers the producer and does not really solve the problem that
> was used as an excuse to introduce it in the first place, mostly
> for the hidden "fringe benefits" that it brings to the regulator.
> Mark R.
> cryptography mailing list
> cryptography at randombit.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography