Jevgeni Kabanov wrote on 03/09/12 11:04:
>
>
> On Friday, March 9, 2012, Bill Shannon wrote:
>
> Jason T. Greene wrote on 03/08/12 22:42:
>
> On 3/8/12 6:09 PM, Bill Shannon wrote:
>
> I've uploaded another proposal from our security team. Please review
> and give us your feedback.
>
> http://java.net/projects/__javaee-spec/downloads/__download/credential-ssl-__config-ee7-proposal.pdf
> <http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf>
>
>
>
> Frankly the whole idea of sticking private keys and password databases in
> deployments seems like a major hazard. Developers are used to copying these
> around everywhere. I could easily see someone forgetting they have sensitive
> information in here. People also tend to use short and bad passwords in
> keystores which makes bruteforcing a PKCS12 file not that difficult.
>
>
> Note that we *already* allow you to include clear text passwords in your code.
> That's nothing new. As always, you have to apply judgment when using these
> mechanisms.
>
>
> At least a password in the clear is an obvious security hazard. Why encourage
> this further?
I think the proposal does an even better job of making it clear what's
the security sensitive information in the application.