Last week I was working on some SOAP message preprocessing in our current project. We needed to extract raw information about security tokens used in SOAP message and because of that we decided to use WSSecurityTokenSerializer class from System.ServiceModel.Security namespace. This class provides public method ReadKeyIdentifierClause inherited from SecurityTokenSerializer. The method was working fine until we used it to read EncryptedKey token with included ReferenceList. In this scenario the pair method CanReadKeyIdentifierClause returns true, but ReadKeyIdentifierClause is throwing an unexpected XmlException because the method implementation expects the end element for EncryptedKey instead of the start element for ReferenceList. I asked related question on MSDN but I haven't got any answer yet. I think this is a bug.
Using ReferenceList in EncryptedKey is allowed by both WS-Security 1.0 and WS-Security 1.1 specifications and moreover it is result of many security configurations in WCF including BasicHttpBinding with security mode set to BasicHttpSecurityMode.Message and client credentials set to BasicHttpMessageCredential.Certificate. This configuration creates mutual certificate asymmetric security binding which uses exactly that problematic token. The rest of the article shows the test fixture to reproduce the issue.