In the process of putting together an article for publication elsewhere, I have come across a fact that I had not been aware of till this point.

WS-Policy and therefore also WS-SecurityPolicy which were used as the config format of security in WSE 2.0 is no longer used in WSE 3.0. Instead a simpler and significantly more legible format is used. All that you may read from the Readme file put on your screen right after installing WSE 3.0. But you may as me have wondered how you exchange policies with other non .NET based solutions now that the switch has been made to this proprietary format.

As it turns out the proposed specification for WS-Policy is going through a lot of changes in the first place, and should therefore not be bet on anyway. (Someone even told me that the format was never supported by other vendors, which obviosly makes the point about being able to exchange policy files a bit moot.)

But as the quote below from a Microsoft lead explains, you should seperate how you configure security in WSE/Indigo and how you possibly exchange your policy with potential clients:

WSE 3.0 policy can be compared to Indigo config and is not a representation of WS-Policy. It is simpler and more readable. So WSE 3.0 does not implement WS-Policy in effect which has changed dramatically in the last few months.

However in the WSE 3.0 you have control over the way that policy serializes itself and combined with calling a service’s GetDescription() method you can image that there was a framework for WSE 3.0 that wrote WS-Policy equivalent which is interleaved with the WDSL from the service. This could then be consumed by Indigo’s servutil.exe tool.