In a direct reference, the actual certificate, or a path to the URI specifying a remote data source containing the token element, is embedded in the SOAP header.

In an indirect reference, a certificate property, such as the X.509 key identifier, is embedded in the SOAP header. Using this property value, the recipient extracts the property value from the message header and uses it to locate the certificate.