W3C home > Mailing lists > Public > public-p3p-spec@w3.org > April 2003

Ref: the Beyond HTTP (BH) Task Force

From: <Patrick.Hung@csiro.au>
Date: Sat, 19 Apr 2003 20:08:00 +1000
Message-ID: <754324CDE8E4EE4498D8E0357D91368501600EA5@saab-bt.act.cmis.CSIRO.AU>
To: public-p3p-spec@w3.org

Hi Joseph,

Referring to the document at http://www.w3.org/P3P/2003/04-beyond-http.html
and your message posted on Mar 29, here are some comments.

> The most interesting/difficult requirement is with respect to delegation
and 
> propagation. The Web Services Architecture Usage Scenarios has a Third 
> Party Intermediary scenario [4] that is perhaps closes to what we would 
> want to do?
>
> [4] http://www.w3.org/TR/2002/WD-ws-arch-scenarios-20020730/#S030
>
> While I've looked at the WS-Policy specifications [5] I think it's perhaps

> best to play with this scenario in the context of a SOAP message header
[6] 
> or a WSDL definition [7] for the time being.
> [5] 
>
http://msdn.microsoft.com/webservices/understanding/default.aspx?pull=/libra
ry/en-us/dnglobspec/html/wspolicyspecindex.asp
> [6] http://www.w3.org/TR/soap12-part1/#muprocessing
> [7] http://www.w3.org/TR/2001/NOTE-wsdl-20010315#A3

I have done a bit about WS-Policy and also the delegation issues of Web
services
for a health informatics project by using Web services technologies. If you
are 
interested in it, you can check some relevant information at:
http://www.eti.hku.hk/eti/web/download/WSS2003.pdf
http://www.cmis.csiro.au/Patrick.Hung/documents/Hung-Qiu-2003-IEEE-CEC03.pdf

In fact, I have been thinking whether it is feasible and appropriate to
implement/apply P3P 
into WS-Policy for the project. Anyway, the first job for me is to
"modify/change/re-create" 
the PURPOSE elements (Section 3.3.4 from The P3P1.0 Specification) for this
project. Thus, 
I have to define the <purposes/> of collecting/processing the health data as
some specific 
purposes in the context of health data and epidemiological statistics, such
as "<vital-statistics/>," 
"<morbidity-statistics/>," and etc. Anyway, I am still studying on it.

> I haven't made an attempt at it yet -- has anyone else? -- but I hope to 
> soon. However, even without doing so, I ask myself if:
> 1. Does the privacy statement belong at the SOAP level, or HTTP? In the 
> majority of cases SOAP will be transported over HTTP, what happens if both

> of a HTTP statement?

As HTTP is a carrier for SOAP messages, I don't really get what you mean
here. Do you mean
that what happens if both "Web service requestor" and "Web service provider"
using HTTP and 
no SOAP message?

> An application specification MUST specify where relevant P3P statements
can be found. We recommend 
> that a higher/abstract layer MAY include the privacy policy of layers it
is dependent upon, but that lower 
> layers SHOULD NOT represent the policies of higher layers. For example, an
application that transfers data 
> with SOAP over HTTP that uses cookies, MUST specify:
>
> 1. the P3P policy associated with SOAP is normative and includes the HTTP
policy, or 
> 2. there are distinct P3P policies associated with the SOAP and HTTP
layers.

By "my understanding," it should not be possible for a Web service requestor
(i.e., Web service) to set 
cookies at the side of Web service requestor (e.g., an application program
or even another Web service), 
except the Web services requestor's interface resides in a browser. The Web
service provider always resides 
in a Web server.

> 2. Does the privacy statement belong at the WSDL level? Not every service 
> must have a service description. And if they did for the purposes of 
> privacy then *have* to fetch the WSDL before proceeding with the 
> interaction? My sense here is that SOAP would trump the OPTIONAL WSDL 
> definition.

Referring to the first question, do we need separate P3P (privacy) policies
for each operation 
(web method) in a Web service? Then, for the second question, it may be
closely related to
the matchmaking process between Web service requestors and providers. In the
workflow
environment, the service locators (i.e., matchmakers) may have to deal with
the P3P policies from
both tasks and Web services by using APPEL.

Please correct me if I misunderstood anything.

Thanks,

--------------------------------------
Patrick C. K. Hung
Research Scientist, Security and Privacy Group
Commonwealth Scientific & Industrial Research Organisation (CSIRO)
CSIRO Mathematical and Information Sciences (CMIS)
GPO Box 664, Canberra, ACT 2601, Australia
Ph: +612 6216 7031, Fax: +612 6216 7111
Email: Patrick.Hung@csiro.au
URL: www.cmis.csiro.au/Patrick.Hung
Received on Saturday, 19 April 2003 06:08:04 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:23 EST