I am trying to extend a custom authentication system and I'm trying to
figure out how I might be able to utilize WSE 2.0.

From the current presentation layer, a username/password is passed to a
component which hits the database and and an encrypted xml string is
returned containing some authorization info.
That encrypted xml string ends up getting passed latter (when the user wants
to do something requiring authorization) as a parameter and decrypted and
then deserialized.

What I would like to do is extend the presentation layer with Wizzy so that
internet applications can authenticate securely as well.

What features of WSE 2.0 would I utilize so that I can send my username and
password securely to a web service and then have that endpoint return my
encrypted string.

This is a kind of end-to-end hybrid rather than point-to-point as I just
read in Don Box's article if I understand him correctly. (He is like reading
fine literature, absolutely fascinating but sometimes not sure if I get it.)
That is to say that just because the user has been authenticated, it doesn't
mean they are authorized to do anything. The encrypted string holds the
secrets which will be revealed when the end user tries to access some
functionality within the component library. I am explaining this only
because someone may ask, why are you not just returning a simple
authenticated or unauthenticated boolean?

So I guess what I want to do is just be able to securely pass my
username/token initially to a web service (and not have it be clear text)
and then have it return the encrypted string. It won't have to be encrypted
on the return trip Can WSE2.0 be used as a kind of  a flexible alternate to
SSL/TLS, passing parameters back and forth in a secure fashion when
encryption of the message (ie. username/password) is necessary?

Thanks for letting me think through this. I may not be asking the right
question yet, or at least not asking it clearly.

Appreciatively,   -greg