You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/08/29 10:54:00 UTC
[jira] [Created] (JAMES-3641) A default JWT key is shipped in the
default configuration
Benoit Tellier created JAMES-3641:
-------------------------------------
Summary: A default JWT key is shipped in the default configuration
Key: JAMES-3641
URL: https://issues.apache.org/jira/browse/JAMES-3641
Project: James Server
Issue Type: Improvement
Components: JMAP
Reporter: Benoit Tellier
Assignee: Antoine Duprat
Fix For: 3.7.0
A quick audit found that a JWT public key is specified in the default configuration, which goes against the principles expressed in https://www.mail-archive.com/server-dev@james.apache.org/msg70783.html - namely we should not specify default cryptographic materials which could be seen as back-doors if not replaced, and rather encourage people to generate their owns.
Here the people having the private key (not part of the repository) could gain JMAP access and use the given server.
This JWT public key was required for JMAP based servers to start - a requirement I found could be relaxed. I thus propose to relax this requirement and drop the JWT-public-key wich is of use to noone as the corresponding private key had long been lost.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org