The document Web Services Security UsernameToken Profile 1.0 line 261
"Token ownership is verified by use of keys...."
Is it reasonable to use wsse:UserNameToken to specify the identity of a user
and then sign this element using the organization's private key? The
Organizational certificate would be specified in a BinarySecurityToken. I am
thinking of something similar to the following