users@javaee-spec.java.net

[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

From: Minoru Nitta <minoru.nitta_at_jp.fujitsu.com>
Date: Fri, 09 Mar 2012 22:32:15 +0900

I agree. This is an interesting idea, but there may be security issues
to be considered carefully.

Minoru

> On 3/8/12 6:09 PM, Bill Shannon wrote:
> > I've uploaded another proposal from our security team. Please review
> > and give us your feedback.
> >
> > http://java.net/projects/javaee-spec/downloads/download/credential-ssl-config-ee7-proposal.pdf
> >
>
> Frankly the whole idea of sticking private keys and password databases
> in deployments seems like a major hazard. Developers are used to copying
> these around everywhere. I could easily see someone forgetting they have
> sensitive information in here. People also tend to use short and bad
> passwords in keystores which makes bruteforcing a PKCS12 file not that
> difficult.
>
> --
> Jason T. Greene
> JBoss AS Lead / EAP Platform Architect
> JBoss, a division of Red Hat