Hello,

I am implementing a parser according to the SOAP Message Security 1.1 Spec and I have some questions regarding some parts of the standard that look ambiguous to me: - It looks like in order to implement SignatureConfirmation as defined in the spec one has to maintain persistency. Is there a way to workaround persistency for that case? - The standard relates to parsing of multiple Security headers by the same actor as ambiguous - it considers the order in which they are parsed is undefined. If I want to serve many clients that I didn't priorly agree on the Security headers parsing order, what would you suggest? - Can somebody recommend on an open-source/free library of encryption/encoding/digest algorithms that will fit the requirements of SOAP Message Security spec, XML Digital Signatures spec, and XML Encryption spec (sha1, base64, etc etc..). - Would you recommend returning a fault-message for an error, such as invalid key, or just reject the message without sending any fault message. I have read recommendations for not returning a value, in order to mitigate cases of DoS. - All "any" attributes and elements specified in the SOAP Message Security 1.1 Spec, for example /wsse:Security/@{any} and /wsse:Security/{any} specify the following - "Unrecognized elements SHOULD cause a fault.". Would you recommend rejecting the message in such case as schema invalid? What would be the concern in such case?

I appreciate any help!

Thanks, Jason