On Friday, March 9, 2012, Bill Shannon wrote:
> Jason T. Greene wrote on 03/08/12 22:42:
>
>> On 3/8/12 6:09 PM, Bill Shannon wrote:
>>
>>> I've uploaded another proposal from our security team. Please review
>>> and give us your feedback.
>>>
>>> http://java.net/projects/**javaee-spec/downloads/**
>>> download/credential-ssl-**config-ee7-proposal.pdf<http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf>
>>>
>>>
>>>
>> Frankly the whole idea of sticking private keys and password databases in
>> deployments seems like a major hazard. Developers are used to copying
>> these
>> around everywhere. I could easily see someone forgetting they have
>> sensitive
>> information in here. People also tend to use short and bad passwords in
>> keystores which makes bruteforcing a PKCS12 file not that difficult.
>>
>
> Note that we *already* allow you to include clear text passwords in your
> code.
> That's nothing new. As always, you have to apply judgment when using these
> mechanisms.
>
At least a password in the clear is an obvious security hazard. Why
encourage this further?
JK