...
The default values of signRequests
and signResponses
for this profile make a channel dependent choice. Specifically it signs on the front-channel, and on the back-channel only if TLS isn't used (very unusual) or if the receiving port is 443. It assumes that traffic over 443 will be relying on message-based security measures (but see belowabove), whereas traffic to an alternative TLS port like 8443 will be relying on mutual authentication and thus provide a secure channel.
...