users@javaee-spec.java.net

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

From: Markus Eisele <myfear_at_web.de>
Date: Fri, 9 Mar 2012 10:11:31 +0100

Again, totally agree. This is nothing I would like to see in deployments.

-M

On 9 March 2012 07:42, Jason T. Greene <jason.greene_at_redhat.com> wrote:
> On 3/8/12 6:09 PM, Bill Shannon wrote:
>>
>> I've uploaded another proposal from our security team. Please review
>> and give us your feedback.
>>
>>
>> http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf
>>
>
> Frankly the whole idea of sticking private keys and password databases in
> deployments seems like a major hazard. Developers are used to copying these
> around everywhere. I could easily see someone forgetting they have sensitive
> information in here. People also tend to use short and bad passwords in
> keystores which makes bruteforcing a PKCS12 file not that difficult.
>
> --
> Jason T. Greene
> JBoss AS Lead / EAP Platform Architect
> JBoss, a division of Red Hat