Since I have no idea when the admins responsible for my client's servers will put an x509 cert on the webserver, I have decided to set aside all of the work I have been doing to apply wse2 to one of their existing applications and get on with my life.  I have learned a lot. I will continue to dig into WSE2 because it fascinates me and has opened up a huge door for me. But I don't foresee any real-life implementations any time soon. Which I hate. This application demands that I be able to encrypt my responses. With WSE1, I could create my own “shared secret” key in the client app and the same one in the web services and then on the client end insert <decryptionkeyprovider> into the app.config to point to my decryption key. That was the recommended way but now it's been deemed “too insecure“ and taken away. Although with WSE2, we have ws-trust and the ability to create and issue custom security context tokens from the web server, this method still requires a server certificate to make it possible for humans to implement it. I need to get on to other projects for this client as well as the myriad other commitments I am worried about falling behind on. In fantasyland I would love to just keep playing and playing with this. Oh well.

oh - I should mention the Kerberos token option. It's not an option - since I can't count on all of the clients being on windows xp.