At the higher levels of the stack, although there is some agreement between [the vendors] on the specifications and proposals around security, there are other opportunities around things like transactions and business rules that could create more divergence.

The industry is beginning to acknowledge that there are different parts of governance that need to be understood and runtime is as important as design time. You want to catch things at design time if you can, but there are other policies have to be enforced by data flowing through system rather than the nature of program code and that's a worthy goal.

Companies like Cisco are promoting idea that the ability to manage these policies can be done in the network efficiently. Other companies are saying that's true, but the network doesn't know what all the policies are and there are natural places from which policies emerge, whether that's the development tools, etc. They're both right.

The number of Web services that can be deployed today without security and transaction support is pretty limited. And that means it doesn't have a critical mass that would make it economically viable for hosting by an ISP or an ASP.

You can't operate an application that's mission-critical without the full runtime environment that gives you reliable, highly available and scale applications with all the things you've come to expect -- load balancing and fail-over support and management tools.