Section 7: I still have a problem with the wording here. Stating in C0701 that “UsernameToken credentials SHOULD NOT be
 used for message authentication..”, and then having Section 7.2 explain how to indicate they should be used for 
message level client authentication, seems  contradictory. C0701 also says username tokens “are not cryptographically 
verifiable.”. Of course, if one uses password digest (with nonce & timestamp) one can get cryptographically strong verification the sender knew the password and the token wasn’t pasted in from some other message. Was your intent in C0701 to warn people that username tokens should be used with caution since they: 1)  don’t provide a basis for ensuring overall message integrity; 2) the binding between the token and message is weak
? Perhaps just remove C0701 since it’s the only numbered security consideration in the document and the requirements in
 Section 4.2 already ensure it can’t be used unless you’re using secure transport.

by Blair Dillaway