Resources | developer.brewmp.com Resources | developer.brewmp.com

Developer

resources

Mobile network operator as certificate authority and mobile service provider as signing authority

Mobile network operator as certificate authority and mobile service provider as signing authority

The mobile network operator often assumes fundamental responsibility for the application security of devices operating on their network, so a mobile network operator is a natural owner of the root certificate. Acting as the certificate authority allows them to set policy and directly manage the delegation of proscribed signing authorities through the issuance of signing certificates.

The mobile network operator may then determine what sources of dynamic applications to make available to their subscribers. They may elect to partner with a mobile service provider that aggregates, vends, and downloads applications to mobile devices. In this case, the mobile service provider might act as the signing authority, running the signing operation according to an agreed signing policy. For such an arrangement, there is typically some understanding between the mobile network operator and the mobile service provider regarding the level of testing and vetting necessary to prevent the introduction of malware or misbehaving code. This arrangement is often manifested in a contract, but most certainly in the signing policy of the mobile service provider.

In practice, a mobile network operator provides its root certificate to a device manufacturer along with their requirements for how it should be configured on the device. The mobile network operator also issues one or more signing certificate(s) to the mobile service provider. Application developers and publishers submit their code to the mobile service provider signing authority, which subjects it to whatever testing, developer authentication, or other processes their signing policy requires. The mobile service provider then generates signatures for and makes available to subscribers that code which is determined to be trustworthy.

The signing policy for such code or application aggregation service is likely to be quite rigorous and might include strict vetting and real-time authentication of developers, an extensive testing and review process. Furthermore, due to a high volume of signing activity, the process and implementation for secure signing operations may be significant.

The mobile network operator as certificate authority may enable multiple service providers as signing authorities under this model.