[jboss-jira] [JBoss JIRA] (WFCORE-3075) KeyStore password as default KeyManager password
Martin Choma (JIRA)
issues at jboss.org
Tue May 15 05:03:00 EDT 2018
[ https://issues.jboss.org/browse/WFCORE-3075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13576353#comment-13576353 ]
Martin Choma commented on WFCORE-3075:
--------------------------------------
On the other hand, by providing this feature, breaking the keystore is matter of breaking weaker protection of both [1]. So it is question if we should support this bad practice.
[1] E. Security Considerations http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02B-1_Focardi_paper.pdf
> KeyStore password as default KeyManager password
> ------------------------------------------------
>
> Key: WFCORE-3075
> URL: https://issues.jboss.org/browse/WFCORE-3075
> Project: WildFly Core
> Issue Type: Enhancement
> Components: Security
> Reporter: Jan Kalina
> Priority: Critical
> Labels: keymanager, keystore, trustmanager
>
> In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required.
> However in theory there could be cases, where no password can be intended
> - key-store resource for truststore purposes (reading truststore) (but in legacy is password required)
> - PKCS12 can be created without key password (but keystore password in legacy is required)
> - you can create JKS programatically without keystore password
> - *in legacy key password is optional (which mean keystore password is used)*
> From discussion: We can make the password optional on the KeyManager so if no password is specified on the KeyManager we assume it is the one from the KeyStore.
> Created analysis document for this: https://developer.jboss.org/wiki/AnalysisDesign-KeyStorePasswordAsDefaultKeyManagerPassword
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list