I trust the water piped directly to my house, but I'm more careful when it comes to packages which flop through my letterbox. A signed-sealed envelope delivered by a courier boosts my confidence, but helps a lot more if I know who sent it. So whilst WS-Security offers a little more than just TLS, it's the thought and effort being expended to establish and exchange identity that currently gives WS-* the security edge over REST. It's great to see that RESTians are starting to at least see the issue, triggered by Pete Lacy and Gunnar Peterson's great posts. But don't panic: I suspect the establishment of Trust and exchange of Identities may indeed be answered by SOAP/WSS, only it'll be baked-hard and packaged into something like CardSpace. That way the slippy stuff won't prevent us from continuing to use the Web and getting shit done.