> 2. when one should favor Apache XML Security Project like > WSS4J over IBM XSS, VeriSign TSIK etc. What level of > maturity, support, documentation we have for all these.
Neither IBM's offering nor TSIK are real open source. (For TSIK, I might add a 'yet'.) I was a core developer of TSIK and I recently started looking at WSS4J. So far I really have no input, just a question for the developers: * Do you feel using the underlying apache xml security suite helps or detracts, in other words, would it have been better to write the underlying sig/enc code yourselves had you had time? The xml security code suite doesn't compile cleanly, and that always makes me feel ill at ease. (Don't get me wrong -- I notice apache xml security is used in a few projects, e.g., PingID's SourceID offering, so it seems definitely a useful toolkit.) * Don't you think the name WSS4J is too close to XSS4J to be confusing? I thought they were the same in the beginning! As an aside: I find some of the subproject naming, somewhat annoying. I know Apache has a long tradition of weird names, but still: Hermes -- the messenger/metal god is for WS-Notification? So, not WS-ReliableMessaging then? Apollo -- The music, prophecy, archery, medicine, sun, etc. God. I wonder what WS project he fits into? It seems it would be WS-Resource Framework, but I don't get the name mapping here. Sandesha -- what's that? An unknown Greek God? Oh wait, here is the WS-RM implementation. Sigh. A correct abstraction of all these WS-* standards means a world of difference to people making decisions. Mixing mythologies, and adding a slightly-off concept mapping, hurts the cause. Just my opinion thrown out for a discussion! Thanks, Hans
