[Authentication] Applications storing secrets in configuration

Anders Rundgren anders.rundgren at telia.com
Wed May 22 09:06:32 PDT 2013


On 2013-05-22 17:49, Stef Walter wrote:
> On 18.05.2013 07:24, Anders Rundgren wrote:
>> On 2013-05-11 08:57, Stef Walter wrote:
>>> On 11.05.2013 08:18, Anders Rundgren wrote:
>>>> Having application-local secrets is fine but there are tons of applications
>>>> that rather needs ACL-protected secrets (keys).
>>>>
>>>> It would for example be awesome dropping the gazillion key-passwords
>>>> stored (usually in clear) in various config files when you for example
>>>> deploy TLS-using application servers like JBoss.
>>>
>>> This is *exactly* what this proposal solves. It allows application
>>> servers (and desktop applications) and such to encrypt such passwords in
>>> their configuration in a standard manner rather than placing them there
>>> in the clear.
>>
>> This is not what I'm requesting.  Statically configured passwords in config
>> files (encrypted or not), does not add anything to the security of the system,
>> they are only a nuisance.  Such keys should IMO be managed by the OS including
>> the execution of private/secret-key operations.
> 
> Right, that does make sense in many cases, and where that's the case, we
> should indeed be pushing down the private/secret-key operations to the OS level.

Who in the Open Source community is actually working with that?

Related:
http://goo.gl/DFLnS

> 
> But elsewhere plain ol' passwords are used by
> applications/infrastructure to access services such as email, websites,
> shared secrets in services, and so on. What this concept gives such
> applications is a way to store these appropriately.

I think this should be addressed at the OS-level as well, like
it is in Android.   For a developer it is very convenient to
just declare a file as private.

Anders

> 
> Cheers,
> 
> Stef
> 
> 



More information about the Authentication mailing list