Arvola, David,
The envelope is not encrypted prior to signing. Payload
encryption is beyond the scope of current MS spec.
Encrypting the envelope requires the addition of
transforms for exclusion of Via etc. that are transient in communication.
Given these, though an important need for privacy,
we may delay specing it till v1.2 (meanwhile XML Encryption
will mature too).
Cheers,
-Suresh