andytanoko / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

Separate Crypto Related Properties into Separate File #48

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
It has been requested that the crypto properties be kept in a different
file for more separation and fine grained control of information.  

Original issue reported on code.google.com by neil.mat...@gmail.com on 6 Nov 2009 at 7:56

GoogleCodeExporter commented 9 years ago
As an abosolute minimum, Encryptor.MasterKey and Encryptor.MasterSalt should be 
moved
to a separate file (e.g., something like ESAPI-Encryptor.properties or
Encryption.properties) because these properties need to be kept secret to all 
but a
small set of individuals. For instance, in a production environment, developers
should not even have read access to these properties, however it is probably 
that
they have read access to the other encryption-related properties such as 

Original comment by kevin.w.wall@gmail.com on 7 Nov 2009 at 5:47

GoogleCodeExporter commented 9 years ago
Although one could override the DefaultSecurityConfiguration and point to 
another
file that includes those two properties, I think this desire would be 
commonplace and
this feature should be part of the default implementation.  I would also 
suggest a
separate system property be defined which could point to the path of the new
ESAPI-Encryptor.properties file so that it can reside outside the default .esapi
"org.owasp.esapi.resources" directory if desired to make it easier to protect 
using
tighter file access controls, auditing, and backup procedures during deployment.

Original comment by joshdrum...@gmail.com on 8 Nov 2009 at 4:17

GoogleCodeExporter commented 9 years ago
We need to abstract the entire key management process. I agree with all 
thoughts above.

Original comment by manico.james@gmail.com on 1 Nov 2010 at 6:02