I do not see any security specific requirements in WS-I RSP, for messages using MTOM. In BP 2.0 there is only some light profiling: See Section 3.1.4 for conformance criteria when using HTTP. R1020 A XOP_ENCODED_MESSAGE MUST include the start-info parameter in the Content-Type header of the enclosing multipart/related MIME entity body. CORE TESTABLE BP1020 R1021 A XOP_ENCODED_MESSAGE MUST include the full value of the type parameter from the root entity body part inside the start-info parameter of the enclosing multipart/related MIME entity body part's Content-Type header. CORE TESTABLE BP1021 R1022 A RECEIVER MUST NOT fault due to the action parameter of an XOP encoded message being included with the value of the start-info parameter inside the Content-Type header of the enclosing multipart/related MIME entity body. CORE NOT_TESTABLE As for BSP, I do not see any ref to XOP encoding at all. -jacques