Hello everyone, We are using only AsymmetricBinding assertion to a recipient with :
* InitiatorSignatureToken (IncludeToken/AlwaysToRecipient) * RecipientEncryptionToken (IncludeToken/Never) * IncludeTimestamp * ProtectTokens * OnlySignEntireHeadersAndBody * Wss11 o sp:MustSupportRefKeyIdentifier o sp:MustSupportRefIssuerSerial o sp:MustSupportRefThumbprint o sp:MustSupportRefEncryptedKey o sp:RequireSignatureConfirmation Could we attached this AsymmetricBinding assertion to a WS endpoint as it is, meaning without providing any details regarding what we want to sign and encrypt ? In the spec (http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826608) it is stated that: - "The specified token populates the [Initiator Signature Token] property and is used for the message signature from initiator to recipient.". So it means that a SOAP client has to provide a message signature in the SOAP request sent to the recipient: right ? - "The specified token populates the [Recipient Encryption Token] property and is used for the message encryption from recipient to Recipient.": is there any typo here ? from recipient to Recipient ? If this is not a typo what does that mean ? Because otherwise I will interpret it as initiator to Recipient: right ? In such case, the SOAP request sent to the recipient should contain some encryption: right ? Best Regards. ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
