Hi Colm, I set up a scenario and was wondering about the KeyInfo elements.
Policy P1 for WS-Consumer and WS-Provider CXF ---sends requestA ----> CXF <--- sends responseB--- Policy is <p:policies enabled="true" xmlns:p="http://cxf.apache.org/policy"> <wsp:Policy wsu:Id="AsymmetricII" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " xmlns:wsp="http://www.w3.org/ns/ws-policy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never "> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> <sp:OnlySignEntireHeadersAndBody /> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15 /> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss10 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefIssuerSerial /> </wsp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <sp:Body /> <sp:Header Name="Timestamp" Namespace=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </p:policies> When I have a closer look to the messages, these look like this: A: Enc-Element: KeyInfo/SecurityTokenReference/KeyIdentifier Sig-Element: KeyInfo/SecurityTokenReference/Reference B: Enc-Element: KeyInfo/SecurityTokenReference/X509Data Sig-Element: KeyInfo/SecurityTokenReference/KeyIdentifier Is there any reason, that the request message contains in the encryption part the KeyIdentifier and the response message the X509Data element? I am using CXF version 2.7.10 Best regards Kai