As part of the "best practice" it had been suggested that ECC should be used to secure messages in flight. However, it appears that there isn't support for ECC in ws-security. Need to align with the ASAP-SG group for securing message payloads.

gerald.gray1 (11/13/2009 10:42 AM): ASAP-SG folks are refraining from making a specific technology requirement as this is essentially a cost/risk assessment that needs to be performed by the organization hosting the service. Closed pending further more specific guidance.
gerald.gray1 (10/20/2009 12:42 PM): See http://java.sun.com/webservices/docs/1.6/tutorial/doc/ for reference. Figure 4-1 XWS-Security Abstract Configuration File Schema And also: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf