[Authentication] Applications storing secrets in configuration
Stef Walter
stef at thewalter.net
Wed May 22 08:49:54 PDT 2013
On 18.05.2013 07:24, Anders Rundgren wrote:
> On 2013-05-11 08:57, Stef Walter wrote:
>> On 11.05.2013 08:18, Anders Rundgren wrote:
>>> Having application-local secrets is fine but there are tons of applications
>>> that rather needs ACL-protected secrets (keys).
>>>
>>> It would for example be awesome dropping the gazillion key-passwords
>>> stored (usually in clear) in various config files when you for example
>>> deploy TLS-using application servers like JBoss.
>>
>> This is *exactly* what this proposal solves. It allows application
>> servers (and desktop applications) and such to encrypt such passwords in
>> their configuration in a standard manner rather than placing them there
>> in the clear.
>
> This is not what I'm requesting. Statically configured passwords in config
> files (encrypted or not), does not add anything to the security of the system,
> they are only a nuisance. Such keys should IMO be managed by the OS including
> the execution of private/secret-key operations.
Right, that does make sense in many cases, and where that's the case, we
should indeed be pushing down the private/secret-key operations to the
OS level.
But elsewhere plain ol' passwords are used by
applications/infrastructure to access services such as email, websites,
shared secrets in services, and so on. What this concept gives such
applications is a way to store these appropriately.
Cheers,
Stef
--
stef at thewalter.net
http://stef.thewalter.net
More information about the Authentication
mailing list