Agreed also. This shouldn't be in deploymentss
Florent
On 03/09/2012 10:11 AM, Markus Eisele wrote:
> Again, totally agree. This is nothing I would like to see in deployments.
>
> -M
>
> On 9 March 2012 07:42, Jason T. Greene<jason.greene_at_redhat.com> wrote:
>> On 3/8/12 6:09 PM, Bill Shannon wrote:
>>> I've uploaded another proposal from our security team. Please review
>>> and give us your feedback.
>>>
>>>
>>> http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf
>>>
>> Frankly the whole idea of sticking private keys and password databases in
>> deployments seems like a major hazard. Developers are used to copying these
>> around everywhere. I could easily see someone forgetting they have sensitive
>> information in here. People also tend to use short and bad passwords in
>> keystores which makes bruteforcing a PKCS12 file not that difficult.
>>
>> --
>> Jason T. Greene
>> JBoss AS Lead / EAP Platform Architect
>> JBoss, a division of Red Hat