True. This scenario is always difficult because any encryption you use has to be reversible. The only way to fully protect data then is with a private key known only to the user. This has two problems in the Ant world - first, it requires interaction, which doesn't allow automated builds, and second, for this case, it means you have to enter a password to decode your passwords. Kinda silly. :-) You can also do some magic with certificates, but managing those isn't trivial.
For at least the first pass, I'm considering exactly the sort of thing CVS uses - no, you can't truly call it encryption, but it at least protects your passwords from casual viewers - and lets you protect the password file itself on systems that support that sort of thing. Rather than the CVS encoding, I'm thinking of using base64, however. I'm also looking at the keytool functionality, but since the security toolset differs in Java 1.1, I'm not sure this a good direction to go. Comments? Stefan Bodewig wrote: > >>>>> "RV" == Roger Vaughn <[EMAIL PROTECTED]> writes: > > RV> Perhaps we need a password storage utility similar to way cvs > RV> login handles things - encoding the passwords in a private file. > > You can't really talk of encoding with CVS (and the docs are quite > clear about this). > > Apart from that, if you find a decent approach for that, make it > reusable for SignJar, GenerateKey or whatever and submit it 8^). > > Stefan
