[aerogear-dev] Push server...master secrets, secrets and some refactoring proposal
Matthias Wessendorf
matzew at apache.org
Wed Apr 16 14:09:52 EDT 2014
Not read the thread - will do next week (traveling atm)
But one thing I noticed
On Wednesday, April 16, 2014, Bruno Oliveira <bruno at abstractj.org> wrote:
> Ahoy, answers inline
>
>
> > And second question, I know Security is not often a good mate with UX
> but ,
> > the console will never show the master/variant secret anymore ?
>
> Also correct. There is nothing set in stone, is just a proposal, because
> atm anyone with read access do the database could impersonate push
> applications.
I think we would need to continue having IDs/secrets visible on the UI
IMO It's very hard to use Push server, w/o that information; again I didnt
read the entire thread yet
Perhsps, we could hide the key (***************) for read-only users; but I
think the overall concern is having them in the DB. My guess is that we
need to have them being stored on the DB
-Matthias
> Another alternative would be to have a single key to the
> whole database and only derive the IV, but that would defeat the purpose.
>
> In addition I discussed the possibility of make use of vaults from
> Wildfly, but it's not ready yet
> (http://lists.jboss.org/pipermail/security-dev/2014-April/001557.html).
> Is only available for datasources. That's why I would like to hear about
> the impact of this change and why the master secret/secret must be
> persisted.
>
> --
> abstractj
>
>
>
--
Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140416/189bc529/attachment.html
More information about the aerogear-dev
mailing list