W3C home > Mailing lists > Public > public-p3p-spec@w3.org > May 2003

RE: [BH] First (Very Rought) Outline of Beyond HTTP

From: <Patrick.Hung@csiro.au>
Date: Thu, 8 May 2003 00:53:33 +1000
Message-ID: <754324CDE8E4EE4498D8E0357D91368501600FF6@saab-bt.act.cmis.CSIRO.AU>
To: reagle@w3.org, public-p3p-spec@w3.org

Hi Joseph,

Just get back to my seat for this working draft of WSDL + SOAP from other

Referring to the "adopting application," both registrar (soliciting service)
registry (recipent service) may have their own privacy policy. Let's call
P3P policy for Web services as WS-P3P policy. Then, the user (registrant)
has its
privacy preferences defined by the APPEL1.0 for Web services, again let's
it as WS-APPEL1.0. When the user is trying to find the registrar (as a Web
and let's forget the UDDI, the user should has its "user agent" (whatever it
is) to
validate its privacy preferences with the registrar's WS-P3P policy. At this
I can easily imagine that the WS-P3P policy file can be specified in the
WSDL document. For illustration, let's take the WSDL definition of a simple
service providing 
stock quotes (Example 1) from the http://www.w3.org/TR/wsdl. Then, I can
define the "PolicyReferences.xml" file as an attribute in the WSDL
<definitions/> as

<?xml version="1.0"?>
<definitions name="StockQuote"


You can also imagine that the registrar can define those <INCLUDE> and
<EXCLUDE> in the
context of the element(s) in the input messsage(s) of the service(s).

Once the user's privacy preferences are all satisfied with the registrar's
WS-P3P policy,
the user should try to bind with the registrar's service(s) by SOAP
messaging [Stage 1], no matter
the carrier is HTTP or SMTP. So, this is the very simple story. Up to this
moment, there
is no need to specify any "privacy" stuff in the SOAP header??!!

Furthermore, the registrar is going to pass the user's data (vis those input
to the registry. As we describe before, the registry also has its own WS-P3P
privacy policy.
Now we are entering the game of propagation and delegation. I think whether
the registrar's
privacy policy is the same as the registry's privacy policy, or the
registrar's privacy
policy is cover every rule in the registry's privacy policy. If not, I
*think* the registrar
must validate the user's privacy preferences with the registry's privacy
policy before the
registrar pass all the user's data to the registry, right? If so, now I can
try to imagine
that you can *put* the user's privacy preferences (as a URI) in the SOAP
header in [Stage 1].
At this [Stage 2], the registrar is working like a intermediary (or the user
agent) to
handle the privacy issues for the user. Further, if there is any security
token (SAML or WS-Security)
in the SOAP header, the user's preferences have also to address them. And

I will try to write all these ideas as "chunks" for the draft by this

In addition, there are a few typos in the draft:
(1) In an intermediary scenario, data (personal information, privacy
privacies and preferences)
^^^^^^^^^ ?????
(2) The p3p:RECIPIENT Value and Data/Preference Prorogation
                                                ^^^^^^^^^^^ Propagation

Lastly, an interesting question...

enables privacy protection for the consumer of a Web service across multiple
domains and services. 
AR020.1 the WSA must enable privacy policy statements to be expressed about
Web services. 
AR020.2 advertised Web service privacy policies must be expressed in [P3P]
AR020.3 the WSA must enable a consumer to access a Web service's advertised
privacy policy statement. 
AR020.5 the WSA must enable delegation and propagation of privacy policy. 
AR020.6: Web Services must not be precluded from supporting interactions
where one or more parties of the interaction are anonymous. 

Why there is no AR020.4? 



-----Original Message-----
From: Joseph Reagle [mailto:reagle@w3.org]
Sent: Tuesday, 6 May 2003 2:43 AM
To: Patrick.Hung@csiro.au; public-p3p-spec@w3.org
Subject: Re: [BH] First (Very Rought) Outline of Beyond HTTP

On Friday 02 May 2003 05:39, Patrick.Hung@csiro.au wrote:
> Do you have any timeline for this document? Maybe, we should have a
> conference call
> for this task force after we have more content in those chunks.

I hope to have something cogent by the end of next week. Something that the 
task force is happy with by the end of May. June to get external web 
service and "adopting application" feedback, and the the documents itself 
is due in July.
Received on Wednesday, 7 May 2003 10:53:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:02:17 UTC