I have decided to pull shared secrets from the feature list of the first production release of WS-Security support.
My list of reasons are the following:
- Multiple request/respsonse messages reuse the same key providing a larger sampling of data which improves the likelyhood of a plaintext attack
- No association between identity and the encrypted data, thus improving the likelyhood of a forged message, or a key replacement attack
- No gaurantee on the strength of the key. Since a symmetric key is nothing more than a block of bytes, a broken tool using a broken random number generator could have generated a predictable key, or worse it could be something like all zeros.
- Lack of tools. Java's keytool doesn't let you store keys, so to store them we would have to provide you with yet another keytool.
Feel free to vote on JBWS-286 if you would like to see us add this. Please also add your reasons as to why you would like to have it. (i.e. compatibility with XYZ).
-Jason