- From: Joseph Reagle <reagle@w3.org>
- Date: Thu, 20 Mar 2003 18:49:59 -0500
- To: public-p3p-spec@w3.org
INTRODUCTION
My name is Joseph Reagle and I've agreed to Chair the proposed "Beyond HTTP
(BH) Task Force". I was involved in the earlier days of P3P and have since
been working on XML Signature, Encryption, and Key Management. This task
force is defined at [1] and would be governed by the charter presently
under review at [2]; I agree to work according to those terms.
[1] http://www.w3.org/P3P/2003/03-tf.html#beyond
[2] http://www.w3.org/P3P/Group/Specification/1.1/01-spec-charter.html
The stated goal of the task force is to identify requirements for
associating P3P policies with protocols other than HTTP, propose a method
that satisfies those requirements, and document any changes to the P3P
vocabulary arising from the proposal. Web Services are rather complex and
I'm skeptical of some of the scenarios I've seen regarding their usage but
my sense is that the desire is that if they are used to solicit or
transport personal information they too should be governed by a privacy
policy. As identified in [1], probably the best way to get traction on the
problem is to "survey the field" and start with a scenario.
SURVEY and SCENARIOS
I'll note that AC020 of the Web Services Architecture Requirements [3] has
very specific requirements on this topic. I've previously commented on this
draft and the requirements seem reasonable.
[3] http://www.w3.org/TR/2002/WD-wsa-reqs-20021114#AC020
AC020
enables privacy protection for the consumer of a Web service
across multiple domains and services.
+ AR020.1 the WSA must enable privacy policy statements to be
expressed about Web services.
+ AR020.2 advertised Web service privacy policies must be
expressed in P3P [85][P3P].
+ AR020.3 the WSA must enable a consumer to access a Web
service's advertised privacy policy statement.
+ AR020.5 the WSA must enable delegation and propagation of
privacy policy.
+ AR020.6: Web Services must not be precluded from supporting
interactions where one or more parties of the interaction are
anonymous.
The most interesting/difficult requirement is with respect to delegation and
propagation. The Web Services Architecture Usage Scenarios has a Third
Party Intermediary scenario [4] that is perhaps closes to what we would
want to do?
[4] http://www.w3.org/TR/2002/WD-ws-arch-scenarios-20020730/#S030
While I've looked at the WS-Policy specifications [5] I think it's perhaps
best to play with this scenario in the context of a SOAP message header [6]
or a WSDL definition [7] for the time being.
[5]
http://msdn.microsoft.com/webservices/understanding/default.aspx?pull=/library/en-us/dnglobspec/html/wspolicyspecindex.asp
[6] http://www.w3.org/TR/soap12-part1/#muprocessing
[7] http://www.w3.org/TR/2001/NOTE-wsdl-20010315#A3
I haven't made an attempt at it yet -- has anyone else? -- but I hope to
soon. However, even without doing so, I ask myself if:
1. Does the privacy statement belong at the SOAP level, or HTTP? In the
majority of cases SOAP will be transported over HTTP, what happens if both
of a HTTP statement?
2. Does the privacy statement belong at the WSDL level? Not every service
must have a service description. And if they did for the purposes of
privacy then *have* to fetch the WSDL before proceeding with the
interaction? My sense here is that SOAP would trump the OPTIONAL WSDL
definition.
So! Sorry for the long introduction, but I hope the other task force members
will introduce themselves too and provide any requirements, scenarios, or
questions they have as well!
--
* Note, I will be on Holiday from March 24-26.
Joseph Reagle Jr. http://www.w3.org/People/Reagle/
W3C Policy Analyst mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/
W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Thursday, 20 March 2003 18:50:00 UTC