David, I must agree with Chris. We were VERY CAREFUL to isolate all confidentiality functions to applications outside of the MSH. There was no standard method of providing this service so we punted. We said that the payload that we expected the user to apply any necessary security to the payload prior to handing it to the MSH. I have lots of notes regarding this topic. It was settled the last time during the FACE-2-FACE in London. Ralph Berwanger