I have a policy assertion file that requires requests to be signed and
optionally encrypted.  When a request is not encrypted all works well.  When
a request is encrypted WSE does not verify that the request is encrypted with
the specified security token.  It appears that as long as it is encrypted and
the message can be decrypted (public key exists in KeyStore) the assertion is
satisfied.

Does anyone know how to make encryption optional but enforce a specific
certificate

<wssp:Confidentiality wsp:Usage="wsp:Optional">
 <wssp:KeyInfo>
   <wssp:SecurityToken>
     
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X
509v3</wssp:TokenType>
     <wssp:TokenIssuer>O="RSA Security, Inc.", OU=WS-I Sample Applications
CA</wssp:TokenIssuer>
     <wssp:Claims>
       <wssp:SubjectName MatchType="wssp:Exact">O=WS-I, OU=WS-I Sample
Applications, CN=Retailer</wssp:SubjectName>
                <wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">lE5aEvMfb4RWrmrUeVgXkq8V62s=</wssp:X509Extension>
            </wssp:Claims>
        </wssp:SecurityToken>
 </wssp:KeyInfo>
 <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
</wssp:Confidentiality>

Thanks for any feedback!