W3C home > Mailing lists > Public > public-p3p-spec@w3.org > March 2003

BH: Introducing the Beyond HTTP (BH) Task Force

From: Joseph Reagle <reagle@w3.org>
Date: Thu, 20 Mar 2003 18:49:59 -0500
To: public-p3p-spec@w3.org
Message-Id: <200303201849.59235.reagle@w3.org>

INTRODUCTION

My name is Joseph Reagle and I've agreed to Chair the proposed "Beyond HTTP 
(BH) Task Force". I was involved in the earlier days of P3P and have since 
been working on XML Signature, Encryption, and Key Management. This task 
force is defined at [1] and would be governed by the charter presently 
under review at [2]; I agree to work according to those terms. 

[1] http://www.w3.org/P3P/2003/03-tf.html#beyond
[2] http://www.w3.org/P3P/Group/Specification/1.1/01-spec-charter.html

The stated goal of the task force is to identify requirements for 
associating P3P policies with protocols other than HTTP, propose a method 
that satisfies those requirements, and document any changes to the P3P 
vocabulary arising from the proposal. Web Services are rather complex and 
I'm skeptical of some of the scenarios I've seen regarding their usage but 
my sense is that the desire is that if they are used to solicit or 
transport personal information they too should be governed by a privacy 
policy. As identified in [1], probably the best way to get traction on the 
problem is to "survey the field" and start with a scenario. 

SURVEY and SCENARIOS

I'll note that AC020 of the Web Services Architecture Requirements [3] has 
very specific requirements on this topic. I've previously commented on this 
draft and the requirements seem reasonable.

[3] http://www.w3.org/TR/2002/WD-wsa-reqs-20021114#AC020
   AC020
          enables privacy protection for the consumer of a Web service
          across multiple domains and services.

          + AR020.1 the WSA must enable privacy policy statements to be
            expressed about Web services.
          + AR020.2 advertised Web service privacy policies must be
            expressed in P3P [85][P3P].
          + AR020.3 the WSA must enable a consumer to access a Web
            service's advertised privacy policy statement.
          + AR020.5 the WSA must enable delegation and propagation of
            privacy policy.
          + AR020.6: Web Services must not be precluded from supporting
            interactions where one or more parties of the interaction are
            anonymous.

The most interesting/difficult requirement is with respect to delegation and 
propagation. The Web Services Architecture Usage Scenarios has a Third 
Party Intermediary scenario [4] that is perhaps closes to what we would 
want to do?

[4] http://www.w3.org/TR/2002/WD-ws-arch-scenarios-20020730/#S030

While I've looked at the WS-Policy specifications [5] I think it's perhaps 
best to play with this scenario in the context of a SOAP message header [6] 
or a WSDL definition [7] for the time being.
[5] 
http://msdn.microsoft.com/webservices/understanding/default.aspx?pull=/library/en-us/dnglobspec/html/wspolicyspecindex.asp
[6] http://www.w3.org/TR/soap12-part1/#muprocessing
[7] http://www.w3.org/TR/2001/NOTE-wsdl-20010315#A3

I haven't made an attempt at it yet -- has anyone else? -- but I hope to 
soon. However, even without doing so, I ask myself if:
1. Does the privacy statement belong at the SOAP level, or HTTP? In the 
majority of cases SOAP will be transported over HTTP, what happens if both 
of a HTTP statement?
2. Does the privacy statement belong at the WSDL level? Not every service 
must have a service description. And if they did for the purposes of 
privacy then *have* to fetch the WSDL before proceeding with the 
interaction? My sense here is that SOAP would trump the OPTIONAL WSDL 
definition.

So! Sorry for the long introduction, but I hope the other task force members 
will introduce themselves too and provide any requirements, scenarios, or 
questions they have as well!

-- 

* Note, I will be on Holiday from March 24-26.

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Thursday, 20 March 2003 18:50:00 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:23 EST