|
|
|
|
|
|
by rictic
2207 days ago
|
|
|
The equivalent to the app signing cert for a web app is the TLS cert. If security is important to you, don't let third parties control your TLS cert! It's so common now to let CDNs (primarily cloudflare) run your TLS frontend that this article apparently doesn't even consider the idea of hosting an app entirely from servers the app author controls. That said, it's true that a TLS cert is necessarily more exposed than an app signing cert can be. If you're serious about security, your app signing cert will be on an airgapped machine. The TLS cert however has to be available on a networked machine in order to sign messages. |
|
|
https://tools.ietf.org/html/draft-ietf-tls-subcerts-07
The certificate is public, it's fine for copies of that to be in all edge devices, the problem today is that the associated private key has to be on those edge devices too, and that's what Delegated Credentials solves.