Major Description
A quick audit found that a JWT public key is specified in the default configuration, which goes against the principles expressed in https://www.mail-archive.com/server-dev@james.apache.org/msg70783.html - namely we should not specify default cryptographic materials which could be seen as back-doors if not replaced, and rather encourage people to generate their owns.
Here the people having the private key (not part of the repository) could gain JMAP access and use the given server.
This JWT public key was required for JMAP based servers to start - a requirement I found could be relaxed. I thus propose to relax this requirement and drop the JWT-public-key wich is of use to noone as the corresponding private key had long been lost.
Attachments
Issue Links
- links to
