[jboss-user] [JBossWS] - Re: is it safe to pack keystore file in my application and s

[PeterJ]

I have also been contemplating something similar, but came up with several reasons why this would not be a good idea.

First, using keytool to generate a certificate is fine for development, test and even perhaps internal use. But if the application will be interacting with users outside of the company then you will want to get a certificate from a valid certificate authority such as VeriSign. That of course costs money, though if you charge for your product you could always include the cost of the certificate in the cost of the product.

Second, each customer needs its own certificate. That is, you cannot generate a single certificate and use it for every customer. This then becomes a packaging issue - you cannot simply generate a stack of CDs and give one to each customer - each CD has to be custom made.

Third, the certificate has a public and private key. The more people who handle the private key the more likely it is to be compromised. As a business concerned about maintaining privacy, both of my own information and that of my customers (since violating customer privacy can result in various government-imposed penalties), I would not want anyone else to have access to my private key.

These are the ones I have thought of so far. My current thought is to offer to generate a certificate using keytool as part of the installation of my product, or allow the customer to provide information about the keystore that the customer has set up (presumably with a certificate from an authority such as VeriSign) and have the installer hook up to that keystore.  While this might not be as convenient, it is more secure.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4028879#4028879

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4028879