Simon Fell > Its just code
I've updated the web services security story with some input from Justin Rudd. [Greg Reinacker's Weblog] Putting credentials in a SOAP header without an ecrypted channel is a waste of time, but if you have an encrypted channel, you might as well use the channel's authentication support. WS-Security only starts to make sense [much the same as SOAP] when you have intermediaries.