Hamid / Jacques,
I like option of ebtoken approach a) based on WSS token - but held
within the ebMS header, no wrapper.
This is simple, clear and obvious. No angle-bracket mush to
deal with and more easily backward compatible (item will simply be
ignored by non-supportive server).
I've not looked at the WSS token in detail - but presumably these
things can be set to expire inline with the ebMS configuration /
delivery options.
Thanks,
DW
p.s. Adding user/pwd semantics option seems seriously fraught with
potential attacks / exposure risks.