My previous message about HTTP Security implied that you would (in SHTTP) reuse the DEK from say an HTTP request for the reply. You most certainly would not do this. (It's horribly bad key hygiene.) Rather, SHTTP provides a way to exchange a symmetric encryption key (in an HTTP message) that can subsequently be used cover subsequent DEKs. Sorry for the possible confusion... -Ekr