Why use a trusted certificate for WCF message security?

What is the advantage of using a trusted certificate instead of self-signed for message security in WCF?

As far as i understand it's on开发者_运维百科ly used for encryption, not really validating the identity.

Depends, if you use an SSL certificate to offer the WCF Service in https then it's used for encryption, and the client could require it to be trusted (or not).

If the WCF Service Requires the client to sign the request, it is only used for Validation/Verification - and then you will certainly need a trusted certificate.

(The client certificate is then configured as an <endpointBehavoir>)

The problem is you cannot really trust the message unless you trust the issuer. Message security implies encryption and signature. If the certificate is not signed by a trusted issuer, there is a much higher risk that the security infrastructure is not reliable:

• are certificate properly stored?
• who is able to issue certificates?
• ...

A valid certificate is one of the first steps to secure your infrastructure.

Think of it as if anyone was able to create his own ID card, how would you trust someone then?