When using SecurityPolicies with SecureChannelEnhancements = TRUE, the Signature on the OpenSecureChannel Response is calculated by appending the bytes of the Signature from the first OpenSecureChannel Request to the bytes of the first OpenSecureChannel Response.

The ChannelThumbprint is the Signature on the OpenSecureChannel Response.

This additional Signature calculation is not done when renewing a SecureChannel since the key derivation method described in 6.8.1always includes key data from the first OpenSecureChannel exchange.

Figure 14 illustrates how to sign the OpenSecureChannel Response and calculate the ChannelThumbprint.

Figure 14 – ChannelThumbprint Calculation

This signature calculation method makes the protocol more resistant to man-in-the-middle attacks (see OPC 10000-2).

The ChannelThumbprint comes from the first OpenSecureChannel exchange. It is a unique identifier for the SecureChannel and is used in the calculation of Channel Bound Signatures (see OPC 10000-4).