In Elytron, there is keystore password (key-store resource) and key password (key-managers resource) required.
However in theory there could be cases, where no password can be intended

• key-store resource for truststore purposes (reading truststore)
• PKCS12 can be created without key password
• you can create JKS programatically without keystore password
• in legacy key password is optional

Question is if we want to support these cases in EAP.

On the other hand:

• truststore password in legacy is required
• keystore password in legacy is required
• changing from required to optional can be performed in future in backward compatible manner
• requiring password is more secure

So from my PoV with Elytron we are compared to legacy little bit unsafe only with required key password. But that can be changed to optional easily in future if there will be customer case.

WDYT?