I read the early specifications of ws-policy, almost two years ago and was pretty impressed. I felt it could be abstracted for reuse in other places (not just web-services) as well. Toufic Boubez talks about WS-Policy in this interview on why you need something like ws-policy.
Here’s the fundamental problem. In order for Web services to work, period — not to work well, not to work better, but just to work — you need more than the API. The API being the WSDL. The WSDL tells you where to send the SOAP request and what the operations are. But that’s not enough for a requestor and a service provider to actually work together. There are a lot of other things that are not API-related — security mechanisms, credentials, encryption, reliable messaging, etc. — that cannot be expressed in a WSDL. That’s the crux of the issue. How do you express those things so that you can have a requestor and a service provider actually talk to each other? WSDL is just a small, small part of it. It’s just the description of the API. It doesn’t describe anything else that is around the API.
WS-Policy, as I recall from an earlier look, is structured well. Need to take some of the XML patterns in that specification and apply it elsewhere.