Currently an SSL transport fulfills the requirement/assertion of the "confidentiality" SecurityPolicy. Now that we integrate with JBossWS-CXF+WSS4J more tightly, we should be able to also fulfill this requirement after successful decryption of an encrypted SOAP message. We somehow need to recognize, either via WSDL contract or CXF Interceptor, that decryption was performed, and then provide the "confidentiality" requirement.