Skip to main content

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

  • From: Bill Shannon <bill.shannon@...>
  • To: jsr342-experts@...
  • Subject: [javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7
  • Date: Fri, 09 Mar 2012 11:45:29 -0800
  • List-id: <jsr342-experts.javaee-spec.java.net>

Jevgeni Kabanov wrote on 03/09/12 11:04:


On Friday, March 9, 2012, Bill Shannon wrote:

    Jason T. Greene wrote on 03/08/12 22:42:

        On 3/8/12 6:09 PM, Bill Shannon wrote:

            I've uploaded another proposal from our security team. Please 
review
            and give us your feedback.

            
http://java.net/projects/__javaee-spec/downloads/__download/credential-ssl-__config-ee7-proposal.pdf
            
<http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf>



        Frankly the whole idea of sticking private keys and password 
databases in
        deployments seems like a major hazard. Developers are used to copying 
these
        around everywhere. I could easily see someone forgetting they have 
sensitive
        information in here. People also tend to use short and bad passwords 
in
        keystores which makes bruteforcing a PKCS12 file not that difficult.


    Note that we *already* allow you to include clear text passwords in your 
code.
    That's nothing new.  As always, you have to apply judgment when using 
these
    mechanisms.


At least a password in the clear is an obvious security hazard. Why encourage
this further?

I think the proposal does an even better job of making it clear what's
the security sensitive information in the application.



[javaee-spec users] [jsr342-experts] Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jason T. Greene 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jeff Genender 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jevgeni Kabanov 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Markus Eisele 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Florent BENOIT 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Minoru Nitta 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jevgeni Kabanov 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jason T. Greene 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Bill Shannon 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

Jason T. Greene 03/09/2012

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

IIDA Minehiko 03/10/2012
 
 
Close
loading
Please Confirm
Close