Benoit Tellier created JAMES-3641:
-------------------------------------
Summary: A default JWT key is shipped in the default configuration
Key: JAMES-3641
URL: https://issues.apache.org/jira/browse/JAMES-3641
Project: James Server
Issue Type: Improvement
Components: JMAP
Reporter: Benoit Tellier
Assignee: Antoine Duprat
Fix For: 3.7.0
A quick audit found that a JWT public key is specified in the default
configuration, which goes against the principles expressed in
https://www.mail-archive.com/[email protected]/msg70783.html - namely
we should not specify default cryptographic materials which could be seen as
back-doors if not replaced, and rather encourage people to generate their owns.
Here the people having the private key (not part of the repository) could gain
JMAP access and use the given server.
This JWT public key was required for JMAP based servers to start - a
requirement I found could be relaxed. I thus propose to relax this requirement
and drop the JWT-public-key wich is of use to noone as the corresponding
private key had long been lost.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
