You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/08/29 10:54:00 UTC

[jira] [Created] (JAMES-3641) A default JWT key is shipped in the default configuration

Benoit Tellier created JAMES-3641:
-------------------------------------

             Summary: A default JWT key is shipped in the default configuration
                 Key: JAMES-3641
                 URL: https://issues.apache.org/jira/browse/JAMES-3641
             Project: James Server
          Issue Type: Improvement
          Components: JMAP
            Reporter: Benoit Tellier
            Assignee: Antoine Duprat
             Fix For: 3.7.0


A quick audit found that a JWT public key is specified in the default configuration, which goes against the principles expressed in https://www.mail-archive.com/server-dev@james.apache.org/msg70783.html - namely we should not specify default cryptographic materials which could be seen as back-doors if not replaced, and rather encourage people to generate their owns.

Here the people having the private key (not part of the repository) could gain JMAP access and use the given server.

This JWT public key was required for JMAP based servers to start - a requirement I found could be relaxed. I thus propose to relax this requirement and drop the JWT-public-key wich is of use to noone as the corresponding  private key had long been lost.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org