Don mentioned in passing yesterday that the first thing we do is fetch policy from
the remote service and then wire up the channel so that everything is in place to
adhere to that policy. I'm surprised more folks didn't catch this.
I had a chance to ask Don about this today and here's what he said. There's
this little tiny blurb in the WS-ReliableMessaging spec about Metadata
Exchange. Basically, it alludes to the need for a future specification that
would provide a way that clients MAY obtain WSDL and WS-Policy information.
That specification will be available by the end of the year.
The way it works in Indigo today is that the first message exchange includes an extra
header, marked as mustUnderstand, that says, "Hey! Give me your policy," and
we don't send a body. Since it's a mustUnderstand, if the resulting
service doesn't understand the header, a SOAP fault is generated - providing you with
a very good indication that the service you're talking to might not be very secure.
Otherwise, you get policy back and can adjust accordingly and there shouldn't be any
side effect on the service because we're not sending a message body, and therefore
there's no action to be invoked.