tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: [PROPOSAL] Standalone SSL
Date Wed, 01 Aug 2001 16:44:05 GMT


On Tue, 31 Jul 2001, Christopher Cain wrote:

> Quoting Jim Seach <jwseach@yahoo.com>:
> > 
> > I think we're in agreement.  The "initial authentication" problem
> > needs to be resolved before we can talk about leveraging it to solve the
> > other problems.  I like your proposal of an optional prompt solution
> > for this.
> 
> Cool.
> 
> > This is an area of interest for me, but it is not something I spend a
> > large part of my time on, so despite being a CISSP, I am certainly not
> > an expert.  I am willing to lend a hand, though, if you are interested
> > in spearheading a general solution to the larger problem.
> 
> Cool. You're definitely invited if I can manage to browbeat the commiters into 
> signing on for such a monster =)
> 
> Seriously, though, it always helps the cause if at least a few people state an 
> interest in helping out, so I definitely appreciate it.
> 
> One other thing, Craig. In re-reading a few of my posts, I realized that I come 
> off a bit heavy-handed. Sorry about that ... it's that damn cryptography-weenie 
> demeanor that drill into us before they give us our membership cards :-)
> 

Not a problem ... it's just that I think you're being a little narrowly
focused on the solution to *your* problem, and ignoring the bigger picture
:-).  Protecting your certificates is all well and good, and I have no
objection to that.  It's necessary, but it's not sufficient.

To flesh out my example, to use features like container-managed security,
you need to tell Tomcat how to gain access to its "repository" of
usernames, passwords, and role information.  Most users will do this
either in a database or a directory server, which means that a
configuration file read by Tomcat must contain the appropriate database
(or directory server) username and password.

What I'm saying is that I don't care much about your certificates if I can
snoop the database connection information and go hack your passwords
database.  So protecting just the certificates is insufficient to solve
the entire problem you are raising.

How many challenges for different pieces of sensitive information are you
willing to impose on the system administrator?  And, is that really any
more secure (in that the sysadmin is now going to have *all* the answers
to these questions on a little sticky note someplace, instead of
memorizing the one password needed to start the server as root :-)?

> - Christopher
> 

Craig



Mime
View raw message