Comment on Google's plan to restrict sideloading on Android has a potential escape hatch for users
Zak@lemmy.world 3 weeks agoAnother option is to allow otherwise-valid signatures after expiration. It’s generally still possible to check them.
Comment on Google's plan to restrict sideloading on Android has a potential escape hatch for users
Zak@lemmy.world 3 weeks agoAnother option is to allow otherwise-valid signatures after expiration. It’s generally still possible to check them.
LodeMike@lemmy.today 3 weeks ago
That completely nullifies the entire point of signature validations.
Zak@lemmy.world 3 weeks ago
How? Expiration doesn’t grant an unauthorized party access to the private key.
LodeMike@lemmy.today 3 weeks ago
There’s zero cryptographic reason to have a signed date at that point.
Zak@lemmy.world 3 weeks ago
Which nullifies the point of certificates having an expiration date (limited window for exploiting a compromised certificate, possibility of domains changing hands), not the point of validating the signature (tie responsibility for apps to who owned a domain on a specific date, allow third parties to create blacklists of bad developers).