dankohn
commented
7 years ago I think it's fine to treat it as a clarification.
-- Dan Kohn mailto:dan@linuxfoundation.org Executive Director, Cloud Native Computing Foundation https://cncf.io/ tel:+1-415-233-1000
On Wed, Aug 30, 2017 at 1:54 PM, David A. Wheeler notifications@github.com wrote:
Currently crypto_credential_agility says:
The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select "not applicable" (N/A).Currently it just says "support". However, hard-coded passwords and tokens in source code have become a big problem. Perhaps we should extend this to also say:
The project MUST NOT include authentication credentials and private cryptographic keys in source code if they provide access to restricted services ("test" and "training" values that do not provide any access to restricted information are fine).I don't know if this is a "new" requirement or a clarification.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/coreinfrastructure/best-practices-badge/issues/925, or mute the thread https://github.com/notifications/unsubscribe-auth/AC8MBhzFY-s9EU7Jkt4FAXUZKZd58KHHks5sdaHtgaJpZM4PHwN4 .
Currently crypto_credential_agility says:
Currently it just says "support". However, hard-coded passwords and tokens in source code have become a big problem. Perhaps we should extend this to also say:
I don't know if this is a "new" requirement or a clarification.