jsr342-experts@javaee-spec.java.net

[jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

From: Jason T. Greene <jason.greene_at_redhat.com>
Date: Fri, 09 Mar 2012 00:42:16 -0600

On 3/8/12 6:09 PM, Bill Shannon wrote:
> I've uploaded another proposal from our security team. Please review
> and give us your feedback.
>
> http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf
>

Frankly the whole idea of sticking private keys and password databases
in deployments seems like a major hazard. Developers are used to copying
these around everywhere. I could easily see someone forgetting they have
sensitive information in here. People also tend to use short and bad
passwords in keystores which makes bruteforcing a PKCS12 file not that
difficult.

-- 
Jason T. Greene
JBoss AS Lead / EAP Platform Architect
JBoss, a division of Red Hat