Status of WSS4J?

[Christof Soehngen <Ch...@SYRACOM.DE>]

Hello everyone,
 
I'm exploring possibilities for doing WS-Sec in Java (in Axis, to be specific) and found WSS4J.
The current status looks very interesting, even though I know that, for example, XML encryption is still beta (or alpha?) in XML Sec.
 
I checked out a snapshot a few days ago and am not sure about the current status, so can anyone correct me, if wrong?
 
1. addUTElement does not work currently?
2. Timestamp is inserted into security header only if using default options, there is no way to control it?
3. When doing sig. + enc. in one handler, WSS4J uses the private key of one user to sign, the public key of the same user to encrypt the symmetric session key. Does this make sense? Noone will be able to decrypt that session key unless he has the private key of the user that encrypted it.
4. I see that public key encryption is not supported in the WS-Sec specification. But for small messages, is it really better to provide a symmetric key encrypted with public key method? Wouldn't it be easier (and faster) to encrypt the whole (small) message with the public key?
 
Thanks for your time,
Christof