<snip> So, to summarize: *) I disagree that specification of key material should be done through WSDL and/or WS-Policy; that's not what it's for, and there is a real risk of compromise of security-sensitive information this way *) I am more inclined to view feature-based config as a kind of simplification of policy-based config, and as a potential generator of policy, which makes it complementary to policy, not orthogonal *) I agree that in some small percentage of cases, we need to support configuration of WS-SecurityPolicy directly, and at a low level, but these cases fall below the 20% bar, and can certainly be exposed through low-level config. </snip>
For point number 2 are you saying that users would generally use CXF feature mechanism for configuration of endpoints and that the runtime would generate the policies that a service provider would need to advertise? In that case a client/consumer could consume the advertised policies and reconfigure themselves based on the policies? So the preferred mechanism for configuration would always be a feature, but that for more low-level stuff policies can be used?
