You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/09/06 10:44:00 UTC
[jira] [Closed] (JAMES-3641) A default JWT key is shipped in the
default configuration
[ https://issues.apache.org/jira/browse/JAMES-3641?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benoit Tellier closed JAMES-3641.
---------------------------------
Resolution: Fixed
Merged
> A default JWT key is shipped in the default configuration
> ---------------------------------------------------------
>
> Key: JAMES-3641
> URL: https://issues.apache.org/jira/browse/JAMES-3641
> Project: James Server
> Issue Type: Improvement
> Components: JMAP
> Reporter: Benoit Tellier
> Assignee: Antoine Duprat
> Priority: Major
> Labels: security
> Fix For: 3.7.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> A quick audit found that a JWT public key is specified in the default configuration, which goes against the principles expressed in https://www.mail-archive.com/server-dev@james.apache.org/msg70783.html - namely we should not specify default cryptographic materials which could be seen as back-doors if not replaced, and rather encourage people to generate their owns.
> Here the people having the private key (not part of the repository) could gain JMAP access and use the given server.
> This JWT public key was required for JMAP based servers to start - a requirement I found could be relaxed. I thus propose to relax this requirement and drop the JWT-public-key wich is of use to noone as the corresponding private key had long been lost.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org