Don mentioned in passing yesterday that the first thing we do is fetch policy from the remote service and then wire up the channel so that everything is in place to adhere to that policy. I'm surprised more folks didn't catch this.

I had a chance to ask Don about this today and here's what he said.  There's this little tiny blurb in the WS-ReliableMessaging spec about Metadata Exchange.  Basically, it alludes to the need for a future specification that would provide a way that clients MAY obtain WSDL and WS-Policy information.  That specification will be available by the end of the year.

The way it works in Indigo today is that the first message exchange includes an extra header, marked as mustUnderstand, that says, "Hey!  Give me your policy," and we don't send a body.  Since it's a mustUnderstand, if the resulting service doesn't understand the header, a SOAP fault is generated - providing you with a very good indication that the service you're talking to might not be very secure.  Otherwise, you get policy back and can adjust accordingly and there shouldn't be any side effect on the service because we're not sending a message body, and therefore there's no action to be invoked.