There does not seem to be a way to specify that ebMS3 error messages are to be signed or encrypted. The parameters in D3.5 are about the business message. In particular for asynchronous errors, it is useful to be able to authenticate the MSH that is posting this error to validate it is the MSH to which the message in error was sent and not some other.

For AS4 we could simplify this and state that an asynchronous error on a message should be signed if and only if the message in error was signed, as we did with receipt.