W3C home > Mailing lists > Public > public-p3p-spec@w3.org > October 2003

RE: P3P and WSDL

From: Philippe Le Hegaret <plh@w3.org>
Date: Tue, 07 Oct 2003 14:49:09 -0400
To: Patrick.Hung@csiro.au
Cc: Rigo Wenning <rigo@w3.org>, Hugo Haas <hugo@w3.org>, w3t-archive@w3.org, public-p3p-spec@w3.org
Message-Id: <1065552549.7930.40.camel@jfouffa.w3.org>

On Tue, 2003-10-07 at 06:24, Patrick.Hung@csiro.au wrote:
> One more thought.
> 
> Should it be possible to apply different sets of statements on the data.
> Imagine
> <information>
>   <name>Philippe</name>
>  <email>plh@w3.org</email>
> </information>
> 
> 
> and
> <operation name='send'>
>  <input element='information'/>
> </operation>
> 
> Should you be allowed to express a privacy for the name and a different
> one for email? If yes, then the policy will need to be referenced from
> the schema definition itself.
> <patrick>Yes, it should be allowed. I would like to ask for your opinions.
> In addition, would you please explain it more? Many thanks!</patrick>

Consider the following WSDL:

<definitions [...]>
 <types>
  <schema>
   <xs:element name="information">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="name" type="xs:string"/>
         <xs:element name="email" type="xs:anyURI"/>
         <xs:element name="creditCardNumber" type="xs:string"/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>    
   <xs:element name="result">
     [...]
   </xs:element>    
  </schema>
 </types>
 <my:Privacy rel='P3Pv1' href='http://www.example.org/p3p.xml'/>
 <interface name='QueryService'>
  <operation name='send'>
    <input element='information'/>
  </operation>
 </interface>
 [...]
</definitions>

One can imagine to apply a different privacy restriction on the
name and the email. For examples, the name and email will be used for
customer tracking purposes, and will be stored by the service, while the
credit card number won't be used except for this purchase, and the card
number won't be stored in any case.
The Privacy element applies to the transaction from the WS client to the
Web service and cannot be restrictied to a particular set of data. (on a
side note, I wonder why you need this rel='p3pv1' attribute at all.
don't you deal with versioning by just using namespaces?)
One approach to resolve this would be to use XML Schema annotations (but
they are other approaches and I'm not suggesting that XML Schema
annotations is the best approach):

   <xs:element name="information">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="name" type="xs:string">
          <xs:annotation>
           <xs:appinfo>
             <my:Privacy rel='P3Pv1' href='http://www.example.org/p3p.xml'/>
           </xs:appinfo>
          </xs:annotation>
         </xs:element>
         <xs:element name="email" type="xs:anyURI">
          <xs:annotation>
           <xs:appinfo>
             <my:Privacy rel='P3Pv1' href='http://www.example.org/p3p.xml'/>
           </xs:appinfo>
          </xs:annotation>
         </xs:element>
         <xs:element name="creditCardNumber" type="xs:string">
          <xs:annotation>
           <xs:appinfo>
             <my:Privacy rel='P3Pv1'
                  href='http://www.example.org/otherp3p.xml'/>
           </xs:appinfo>
          </xs:annotation>
         </xs:element>
       </xs:sequence>
     </xs:complexType>
   </xs:element>    

An other solution, used by the WSDL WG to deal with media types, would
be to use XML extensions:

    <xs:element name="information">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="name" type="xs:string"
           my:p3p='http://www.example.org/p3p.xml'/>
         <xs:element name="email" type="xs:anyURI"
           my:p3p='http://www.example.org/p3p.xml'/>
         <xs:element name="creditCardNumber" type="xs:string"
           my:p3p='http://www.example.org/otherp3p.xml'/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>    


In both cases, this would still require defining an element included in
the WSDL to indicate the WSDL processor must follow the rules of P3P:
<my:Privacy wsdl:required=true'/>
(or using a feature, but the WG is still discussing this issue)

In any case, I don't think that this necessarily needs to be addressed
in the first version of the document but a future version will need to.

Philippe
Received on Tuesday, 7 October 2003 14:49:14 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:28 EST