Clients should be aware of rogue DiscoveryServers that might direct them to rogue Servers. Clients can use the SSL/TLS server certificate (if available) to verify that the DiscoveryServer is a server that they trust and/or ensure that they trust any Server provided by the DiscoveryServer. See Part 2 for a detailed discussion of these issues.
In any case, Clients shall always verify that it trusts the Server Certificate and that the EndpointUrl matches the HostNames specified in the Certificate before it creates a Session with a Server. After it creates a Session it shall look at the EndpointDescriptions returned by the Server and verify that it used the best security possible and that the Server’s Certificate matches the one that the Client used to connect. The decision on whether the Client is using the best security possible is made by looking for the largest SecurityLevel among the EndpointDescriptions returned in the CreateSession Response.