2.2.2.1.4 Context Cancellation Binding

The context cancellation binding is specified in [WSSC] section 7 and [WSSC1.3] section 6. This document overrides the following specification:

• [WSSC1.3] section 6: "Proof of possession of the key associated with the security context MUST be proven in order for security context to be canceled. It is RECOMMENDED that this is done by creating the original claims signature over the signature that signs message body and key headers."

Proof of possession MUST be established by including a security context token conforming to section 2.2.1.5 and a corresponding signature conforming to section 2.2.1.7 in the security element conforming to section 2.2.1. The elements that MUST be signed are specified in section 2.2.1.7. Signatures MUST NOT be signed to prove possession.