success! just called the DerivedKeyToken sample. it works by 1st requesting a SecurityContextToken from a token issuer. as mentioned in an earlier post, the client cannot pass Entropy, so the token issuer generates the key and returns it encrypted. from that key, the client derives 2 new keys: 1 for signing, and 1 for encrypting. then it signs and encrypts the request to the web service using each derived key respectively. using the info the client passes, the web service can derive the same keys to verify and decrypt the request.
that milestone basically completes the update of the CF bits for WSE 2.0! i need to clean up the code, do regression testing, and a write-up before releasing the code