This is the complete text in Part 4:

This token shall be encrypted if required by the SecurityPolicy.
The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None.
If the token is encrypted the password shall be converted to a UTF8 ByteString and then serialized as shown in Table 169.
The Server shall decrypt the password and verify the ServerNonce.
If the SecurityPolicy is None then the password only contains the UTF-8 encoded password.

recommended part 4 text:

This token shall be encrypted if required by the SecurityPolicy.
The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None. If None is specified for the UserTokenPolicy and Security Policy is None then the password only contains the UTF-8 encoded password. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but in actuality it would be completely insecure.

If the token is encrypted the password shall be converted to a UTF8 ByteString and then serialized as shown in Table 169.
The Server shall decrypt the password and verify the ServerNonce.

Add following clarification to 7.35.3 UserNameIdentityToken
If None is specified for the UserTokenPolicy and Security Policy is None then the password only contains the UTF-8 encoded password. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but in actuality it would be completely insecure.

Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.02.doc

Agreed to changes in telecon.