[Authentication] Applications storing secrets in configuration
Stef Walter
stef at thewalter.net
Fri May 10 23:57:41 PDT 2013
On 11.05.2013 08:18, Anders Rundgren wrote:
> Having application-local secrets is fine but there are tons of applications
> that rather needs ACL-protected secrets (keys).
>
> It would for example be awesome dropping the gazillion key-passwords
> stored (usually in clear) in various config files when you for example
> deploy TLS-using application servers like JBoss.
This is *exactly* what this proposal solves. It allows application
servers (and desktop applications) and such to encrypt such passwords in
their configuration in a standard manner rather than placing them there
in the clear.
> On the mobile scene, doesn't Android effectively offer sandboxed applications
> including protected storage? Encrypting the data should IMO be a minor
> OS addition
Agreed, encryption is secondary to sandboxing. And this proposal
facilitates that. Hence the support for the 'null' keys outlined below,
so that when code is built for such a platform they can use the same
library and code paths, but their data is not encrypted.
> and not particularly related to GCR.
This has nothing to do with GCR.
> I guess this really boils down to what "market" you are looking at, right?
>
> Just my 2 öres.
Thanks,
Stef
More information about the Authentication
mailing list