Re: Comments on "[P3P]: Beyond HTTP" from Lorrie Cranor on 2003-06-19 (public-p3p-spec@w3.org from June 2003)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Wed, 18 Jun 2003 20:17:01 -0400
To: Joseph Reagle <reagle@w3.org>
Cc: Hugo Haas <hugo@w3.org>, Patrick.Hung@csiro.au, public-p3p-spec@w3.org
Message-Id: <594F88FE-A1EB-11D7-8585-000393DC889A@research.att.com>

So one alternative is to reference the policy file directly for web 
services rather than the policy reference file. Another alternative is 
to use the extension mechanism to create a more appropriate type of 
reference for web services inside the policy reference file. This 
reference would designate an appropriate scope for a policy that is 
applicable to web services. I don't know enough about what I am talking 
about here to know which would be preferable... but I would like you to 
consider both possibilities.

Lorrie


On Wednesday, June 18, 2003, at 05:59  PM, Joseph Reagle wrote:

>
> Hugo, thank you for this extensive (tutorial!) email!
>
> On Monday 16 June 2003 05:14, Hugo Haas wrote:
>> So, anyway, in order to make things concrete, let's try to address the
>> second case: expressing a URI to a P3P policy document. I think that
>> it is more useful than expressing the URI to a policy reference since
>> a WSDL description would already give a list of policies for each
>> service. Again, this would probably be up for discussion.
>
> I still can't say I understand all of this Feature and WSDL stuff, but 
> I
> think you have a very important point there. A Policy Reference file
> designates a (1) life time (expiration), (2) policies, (3) and set of 
> paths
> for a web site (via INCLUDE and EXCLUDE) where those policies apply.
> Basically a set of URIs over which one does HTTP methods (GET, POST, 
> PUT)
> That makes lots of sense for browsing a web sites, but not so much for 
> Web
> Service.
>
> In the Web Service case one will be doing port names (operations) as 
> applied
> to a soap:address? In which case, a Policy Reference file isn't really
> needed.
>
>> --8<----
>> P3P feature
>>
>> - Name
>>
>> 	http://example.org/2003/06/16-p3pf/
>>
>> - Description
>>
>> The P3P feature is used to indicate the P3P policy governing the use
>> of a service.
>>
>> - Properties
>>
>> The P3P feature defines a single property:
>>
>>   Property name:
>>
>> 	http://example.org/2003/06/16-p3pf/id
>>
>>   Property type:
>>
>>   	xsd:anyURI
>>
>> The value of the http://www.w3.org/2003/06/16-p3pf/id property is the
>> identifier for the P3P policy governing the use of the service.
>
> So we sort of have this, less formally, and we haven't given ita 
> special
> "feature" URI...
>
>> Which makes me wonder: are policy reference file useful to Web
>> services? With WSDL and something like a P3P feature, wouldn't the
>> problem addressed by policy reference files taken care of?
>
> Yes, I think so. So in our scenario, we'd still want the Policy 
> Reference
> file for the XForms/XHTML aspect, but not for the registrar to registry
> aspect.
>
> Patrick, is your understanding sufficient that you have a sense of what
> changes we could make to our document? I still need to keep thinking it
> through for myself....
>

Received on Wednesday, 18 June 2003 20:16:06 UTC