The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.
Please refer to:
www.android-ca.org is a not-for-profit organization maintained by Ingo A. Kubbilun.
Trademarks and registered trademarks are properties of their respective owners.
If you are looking for my custom kernel work, then read this.
Certification Authority (CA) for Android™
In 2013, we will provide a totally free Certification Authority (CA) for mobile devices running Android™. It is planned to issue X.509 certificates in a pseudonymous way, i.e. the CN (common name) attribute of the subject distinguished name will be just set to the fully-qualified mobile phone number. No other personal information will be added to the certificate.
Elliptic Curve Cryptography (ECC) will be used, which is well-suited for mobile devices (kind of embedded systems).
We currently need time to implement it and to host a directory service for fetching or revoking certificates, respectively.
It is planned to provide an Android™ app that enables a mobile phone user to generate the necessary key pairs and to request one or more X.509 certificates online.
Possible use cases
Some examples include (but are not limited to):
As mentioned earlier, a Certification Authority and a directory service are required (server side). The key pair generation is performed
in the mobile device (secured by a PIN). A PKCS#10 request is sent from the Android™ app to the server for issuing the certificate(s).
Only the mobile phone number is used as the common name (CN) attribute providing some kind of pseudonymous X.509 certificate(s).
How does the CA ensures the 'identity' of a mobile phone user?
This is closely connected to the last item of the enumeration above. A PKCS#10 request is always self-signed. This is also called proof-of-possession, i.e.
the mobile phone user prooves that he/she owns the private key of the key pair. The Certification Authority has to ensure that a certificate will be
issued for that specific mobile phone user identified by the mobile phone number, too. This is done by splitting the PKCS#10 request, i.e. the digital signature
will be sent by a text message to the mobile phone number of the Certification Authority.