Scott has some comments about WSE 2.0 (which just in case you haven't heard yet has RTMed) and I wanted to comment on a few things...
Question: The Basic Profile is great, but are the other specs getting too complicated?
My Personal Answer (today): Kinda feels like it! WS-Security will be more useful when there is a more support on the Java side. As far as WS-Policy, it seems that Dynamic Policy is where the money's at and it's a bummer WSE doesn't support it. [Scott]
It's the tools that are at issue here, rather than the specs I think. I spent some time writing WS-Security by hand about a year ago, and yes, it's complicated, but I don't think unnecessarily so. The problem is that we aren't supposed to be writing it by hand. We take SSL totally for granted, but writing an SSL implementation from scratch is non-trivial. We don't have to write them ourselves anymore, so we can take it for granted. The problem (in the specific case of WS-Security) is that we have taken it for granted as far as Web Services go. Unfortunately, that makes the assumption that Web Services are bound to HTTP. In order to break the dependence on HTTP (which opens up many new application scenarios) we have to replace all the stuff that HTTP gives us "for free" like encryption, addressing, authentication, etc. Because to fit with SOAP those things all have to be declarative rather than procedural, I think they feel harder than depending on the same thing from procedural code.
If we are to realize the full potential of Web Services and SO, then we have to have all this infrastructure in place, to the point where it becomes ubiquitous. Then we can take the WS-*s for granted just like we do SSL today. Unfortunately the tools haven't caught up yet. Three or four years ago we were writing an awful lot of SOAP and WSDL related code ourselves, and now the toolsets have caught up (mostly). Given enough time the tools should be able to encompass the rest of the standards we need to open up all the new application scenarios.
Steve Maine makes a good analogy to the corporate mailroom. There's a lot of complexity and complex systems involved in getting mail around the postal system which we don't see on a daily basis. But it's out there none the less, and we couldn't get mail around without them. When we can take SO for granted like we do the postal system, then we'll see the full potential of what SO can do for business, etc. in the real world.