Due to the intentional vagueness of the WS-Security spec, we should clearly document what is and is not supported when using various security mechanisms. This matrix should probably be driven from interoperability testing.