When you are using a X.509 Certificate as the client authentication token in Mixed-Mode Security - apart from signing the Timestamp WCF will sign the 'To' header as well. This is to prevent a client spoofing attack by a rougue service. Consider the situation where the client does not sign the 'To' header and sends the message to a rogue service. As long as the Timestamp is valid the rogue service can just forward the message to another service that trusts the client's certificate. The receiving service would validate the signature on the Timestamp and will accept the message and will respond back to the rogue service as if it is the client.

To prevent this WCF will sign the 'To' header as well when the client token used with Mixed-Mode security is an Asymmetric token. It will enforce the check on the receiving side as well. Now the rogue service cannot forward the message as the 'To' header needs to change for the called service and hence forces the service to create a new signature.