Public key (asymmetric) encryption is slower than secret key (symmetric) encryption. But unless I'm misunderstanding your original post, you're saying you would encrypt the secret key using the server's public key, so you'd be using asymmetric encryption anyway. That being the case, you're better off skipping the extra layer and instead just directly encrypting the UsernameToken with the server's public key.
If you're going to be doing multiple message exchanges and are concerned about the overhead, you can use WS-SecureConversation to set up a session using a secret key. You should be able to set up the WS-SecureConversation STS to require the UsernameToken on the request and do the authorization in the STS, so that the UsernameToken only needs to be sent once. How does that sound? - Dennis On 08/26/2010 06:42 PM, wservarch wrote: > Isn't encrypting usernameToken with publickey encryption slower? Hence I took > the approach of digital envelope, I wanted to use the power of secret key > with public key and couldn't find a way to send the encrypted session key > through every soap request. Any help? >
