I’ve recently had to implement XML messaging with two large entities that required us to provide an SSL client certificate as well as sign the SOAP message body with a different signing certificate. Aside from redundancy, does the signing of the message body WITH A DIFFERENT CERTIFICATE provide any additional protection?
Edited to provide clarification of the question and point out the years-long misunderstanding between myself and EJP.
The value of signing the message in addition to using SSL with mutual auth (client cert) is that you get non-repudiation. However, you get that whether or not the client cert is used to sign the message or a different signing cert is used.
Signing the message provides legally enforceable non-repudiation over the transaction. You have proof that that client and only that client could have sent that message, and you can repeat the signature verification in court to demonstrate. SSL gives you the same thing technically at a lower level, but you don’t have any way of getting the signature out, so you can’t produce it in court: you are down to handwaving in evidence, as opposed to an actual digital signature, which is a legal signature and thus prima facie evidence.