Hi - When I send an RST to my STS (CXF 2.7.14) to get a holder-of-key token with Advice, it looks like the token I get back has a Subject that matches the X509 cert in the Advice rather than its own cert. It looks like it's supposed to be this way based on what I see in DefaultSubjectProvider, is that correct? Is that spelled out in ws-trust or one of the saml specs somewhere? It makes sense to me that it should work that way, but I'm getting some questions about it and would like be able to point to something that says why it is that way.
Thanx, Stephen W. Chappell