...maybe it's just so they can exclude any camera manufacturers who threaten to sue them over patent infringement from connecting via 'their' onvif? ; )
What are the odds that they've decided to protect an internet facing camera against a denial of service attack that attempts to exploit the GetSystemDateAndTime call?
I think I remember reading somewhere that minimal GetSystemDateAndTime deltas are somehow necessary for PTZ control and other time critical functionality. Perhaps the Everfocus developers just decided that this should be a prerequisite for authentication. Wireshark packet analysis of an Everfocus NVR connecting to the camera may reveal some additional insight.
GetSystemDateAndTime should not require authentication at all. See http://www.openipcam.com/files/ONVIF/ONVIF_WG-APG-Application_Programmer's_Guide.pdf
You are welcome!
The key point is here:
The server must SUPPORT WS-Security and the client must SUPPORT both. This does not mean they should use them in particular communication at all.
"Should support" for server mean that client should reasonably expect that server will ask for WS-Security and/or if client will provide WS-Security this brings no harm. look into opposite: server should support WS-Security - not a word for HTTP-Digest, which mean that if client will use HTTP-Digest there is a chance that server will return an error as it has the right not to support HTTP-Digest.
"Should support" for client mean that server can decide on it's own to use HTTP-Digest, WS-Security or nothing. And there client should fulfil server's expectations (see 3.3.6).
conclusion: should support != should use