[aerogear-dev] Push server...master secrets, secrets and some refactoring proposal

Bruno Oliveira bruno at abstractj.org
Wed Apr 16 13:51:48 EDT 2014


Ahoy, answers inline

Sebastien Blanc wrote:
> Sorry dummy question but at application creation time (and when resetting
> the secret), in the response of the POST , the master secret should be
> returned to the user, right ? Otherwise he will never get it.
You are correct.

> And second question, I know Security is not often a good mate with UX but ,
> the console will never show the master/variant secret anymore ?

Also correct. There is nothing set in stone, is just a proposal, because
atm anyone with read access do the database could impersonate push
applications. Another alternative would be to  have a single key to the
whole database and only derive the IV, but that would defeat the purpose.

In addition I discussed the possibility of make use of vaults from
Wildfly, but it's not ready yet
(http://lists.jboss.org/pipermail/security-dev/2014-April/001557.html).
Is only available for datasources. That's why I would like to hear about
the impact of this change and why the master secret/secret must be
persisted.

-- 
abstractj


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140416/66d68b6c/attachment.bin 


More information about the aerogear-dev mailing list