Let me ask a question to the Java participants - - what would it mean to add identity management to every single application function, so that we can determine upfront who and why a user is able to access resources? Would this not be the answer to Java web services in a distributed environment, though you may ask where is the central repositiory of data. Well, why not have the data sources be tied together by the identity management software, and then add-in registry software that incorporates sign-in. I believe I have solved a long-running problem in the roll-out of reusable web services, as well as basis for new app development. Not in the form of new professional services fees, necessarily, but the implementation of a development paradigm that recognizes the need for security and usability for identity. These topics typically are so mundane that I don't pay much attention, but the reality is that the Java developer community needs a direction to address the requirements of SOA.