[javaee-spec users] [jsr342-experts] Re: Improved Credential and SSL Configuration for EE 7

From: Jevgeni Kabanov <>
Date: Fri, 9 Mar 2012 21:04:31 +0200

On Friday, March 9, 2012, Bill Shannon wrote:

> Jason T. Greene wrote on 03/08/12 22:42:
>> On 3/8/12 6:09 PM, Bill Shannon wrote:
>>> I've uploaded another proposal from our security team. Please review
>>> and give us your feedback.
>>> download/credential-ssl-**config-ee7-proposal.pdf<>
>> Frankly the whole idea of sticking private keys and password databases in
>> deployments seems like a major hazard. Developers are used to copying
>> these
>> around everywhere. I could easily see someone forgetting they have
>> sensitive
>> information in here. People also tend to use short and bad passwords in
>> keystores which makes bruteforcing a PKCS12 file not that difficult.
> Note that we *already* allow you to include clear text passwords in your
> code.
> That's nothing new. As always, you have to apply judgment when using these
> mechanisms.

At least a password in the clear is an obvious security hazard. Why
encourage this further?