[
https://issues.apache.org/jira/browse/JAMES-3641?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3641.
---------------------------------
Resolution: Fixed
Merged
> A default JWT key is shipped in the default configuration
> ---------------------------------------------------------
>
> Key: JAMES-3641
> URL: https://issues.apache.org/jira/browse/JAMES-3641
> Project: James Server
> Issue Type: Improvement
> Components: JMAP
> Reporter: Benoit Tellier
> Assignee: Antoine Duprat
> Priority: Major
> Labels: security
> Fix For: 3.7.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> A quick audit found that a JWT public key is specified in the default
> configuration, which goes against the principles expressed in
> https://www.mail-archive.com/[email protected]/msg70783.html -
> namely we should not specify default cryptographic materials which could be
> seen as back-doors if not replaced, and rather encourage people to generate
> their owns.
> Here the people having the private key (not part of the repository) could
> gain JMAP access and use the given server.
> This JWT public key was required for JMAP based servers to start - a
> requirement I found could be relaxed. I thus propose to relax this
> requirement and drop the JWT-public-key wich is of use to noone as the
> corresponding private key had long been lost.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
