Skip to main content

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

  • From: Jevgeni Kabanov <jevgeni@...>
  • To: "jsr342-experts@..." <jsr342-experts@...>
  • Subject: [javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7
  • Date: Fri, 9 Mar 2012 21:04:31 +0200
  • List-id: <jsr342-experts.javaee-spec.java.net>



On Friday, March 9, 2012, Bill Shannon wrote:
Jason T. Greene wrote on 03/08/12 22:42:
On 3/8/12 6:09 PM, Bill Shannon wrote:
I've uploaded another proposal from our security team. Please review
and give us your feedback.

http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf



Frankly the whole idea of sticking private keys and password databases in
deployments seems like a major hazard. Developers are used to copying these
around everywhere. I could easily see someone forgetting they have sensitive
information in here. People also tend to use short and bad passwords in
keystores which makes bruteforcing a PKCS12 file not that difficult.

Note that we *already* allow you to include clear text passwords in your code.
That's nothing new.  As always, you have to apply judgment when using these
mechanisms.

At least a password in the clear is an obvious security hazard. Why encourage this further?

JK


[javaee-spec users] [jsr342-experts] Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jason T. Greene 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jeff Genender 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jevgeni Kabanov 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Markus Eisele 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Florent BENOIT 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Minoru Nitta 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jevgeni Kabanov 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jason T. Greene 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jason T. Greene 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

IIDA Minehiko 03/10/2012
 
 
Close
loading
Please Confirm
Close