I have been looking at WS-security and really can't tell which way to go. So I could really need a little input.
Background: At my company we have done a couple of web services just for inhouse usage. We are now planning to expand this and start building services for external customers. Of course we want to secure our services with ws-security.
Question: Should I use X.509 certificates when signing and encrypting messages or should I use other Tokens, like UserNameToken, CustomToken etc? Every turtorial I have seen uses certificates but I'm not so fond of start creating certificates for every service and customer? Any thougths?