On Thu, 2007-02-08 at 11:41 +0100, Thomas Diesler wrote: XML Signature performs XML Canonicalization which normalizes and depending on the type strips comments. Note that the canonicalization process does not actually alter the SOAP message, it just uses this to build a byte array that the signature algorithm can be performed on. We, along with most other WS-Security implementations I have seen, exclude comments: SignatureOperation.java: transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS); This value is actually declared in the message header. So, if another party does not exclude comments, and does properly declare it (#WithComments specified in header), then it should process correctly, provided that it can see the comments in the SAAJ tree. Yes, if there is a SAAJ bug then security will fail. -Jason