Another question. Let's say that Bob runs the web service and Alice has a client that uses the web service. Now John would also like to use the web service. John would create: johns.keystore ---------------- john - keyPair (pub+priv) bob - trustedCertEntry (pub) johns.truststore ---------------- john - trustedCertEntry (just john's public key) In addition, Bob's keystore would be updated to: bobs.keystore ---------------- bob - keyPair (public + private key) alice - trustedCertEntry (just alice's public key) john - trustedCertEntry (just john's public key) This does not pose a problem for encrypting the request from the client side since both Alice and John use Bob's public key to encrypt the message, and Bob of course uses his pirvate key to decrypt the message. But how is the response message encrypted? Bob would have to know who he is responding to and encrypt accordingly, but how would one specify this? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4032946#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...