I'd suggest you encrypt the complete UsernameToken, since the performance difference between doing only part and the whole token would probably be minor and encrypting the whole token is better for interoperability. As Dan pointed out in a recent exchange (http://mail-archives.apache.org/mod_mbox/cxf-users/201008.mbox/browser), .Net *always* wants to encrypt UsernameToken, one way or another, and so most of the Java stacks are likely to do the same.
- Dennis On 08/26/2010 10:20 PM, wservarch wrote: > Yes makes sense. Thanks for the help, right now 'am not looking at multiple > message exchanges. I've one more query, when you say encrypting > UserNameToken with public key you mean to say encrypting only password of > the token or complete UserNameToken? >
