That's a good question. I made the same question before in the list like two weeks ago. The specification does not mention anywhere that the token should encrypted. However, encrypting the token for the Relying party is a security good practice (For confidentiality purposes). For that reason, I decided to encrypt it in .NET, and I am not sure how the rest of the implementations are doing. Can that be done in WSO2 identity server ?.
I am using these certificates, Token signature => BSL.Com Token encryption => Trade.Com Regards, Pablo. -----Original Message----- From: Chintana Wilamuna [mailto:chinta...@gmail.com] Sent: Wednesday, October 21, 2009 4:04 AM To: stonehenge-dev@incubator.apache.org Subject: Token returned by the .Net passive STS Hi, The token that .Net passive STS sends has the claims encrypted. Earlier I could see the claims in clear text but in the new implementation they're seems to be encrypted. Is that the desired behaviour? Right now WSO2 Identity Server doesn't encrypt the claims in the token. Should it be changed to encrypt those? Bye, -Chintana -- http://engwar.com