-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin,
Martin Dubuc wrote: > I am not sure I buy your argument that because there is somewhere > else in an implementation that is as insecure as cleartext password, > then there is no point in fixing the cleartext password issue. With > this argument, we would never care about fixing any security holes, > because one can always find a new security hole to exploit. Of course I could never say that security measures are never useful. What I'm saying is that /this/ one isn't (useful). Writing your password on your monitor is a bad idea. Writing it on a sheet of paper in your desk is slightly better, but remembering it is the best solution. I'm asking you to consider looking for the best solution instead of the deployment equivalent of putting your password in your desk drawer. > Plus, well, the assumption that someone is using a password-less key > with Apache running with SSL is pretty weak, because there are ways > to avoid using password-less key. Right. You can either enter the password on startup (a maintenance headache) or you can put the key somewhere (plaintext, I might add). > As far as the UNIX password analogy, tomcat may be seen as a user, > not UNIX, but it still performs authentication. No, it doesn't. Tomcat is a user of the database. It is never performing database authentication. Tomcat may be performing /user/ authentication, but that unrelated. > I have the impression that using MD5/SHA hashing would be a good > option, because it would be simple, would not require any additional > key, would provide some sense of security. Note that hashing the password is the same as using a plaintext password. I'll leave the reason for this as an exercise for the reader. My belief is that this gives the illusion of security. Bruce Schneier calls this "security theater" because you are essentially making a symbolic yet meaningless gesture towards security. Please don't hear me saying that what you are proposing is a bad idea, or that security isn't worth it. I'm merely suggesting that there are better ideas than the one you are proposing. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGN3bs9CaO5/Lv0PARAnqYAJ9BCqofhNRgLUcCO8z/ei8momv45wCfahQI J+EbhfxBN+FpWkiqZIRR8rw= =bFGf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
