W3C home > Mailing lists > Public > public-p3p-spec@w3.org > March 2004

Re: The p3p generic attribute

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Wed, 3 Mar 2004 09:33:35 -0500
Message-Id: <C1037F13-6D1F-11D8-98F5-000A95DA3F5A@cs.cmu.edu>
Cc: public-p3p-spec <public-p3p-spec@w3.org>
To: Rigo Wenning <rigo@w3.org>

OK, I like the distinction between interface description and data. I 
know very little about WSDL and other languages for writing interface 
descriptions... would an interface description include some reference 
to a particular entity or URI where the interface will be processed 
(not sure if that's the right word)? I guess what I'm wondering is 
whether there could still be a problem that a chunk of XML describing 
an interface might be processed by multiple entities, including 
entities that the one who wrote it is unaware of (and thus can't 
anticipate when writing the P3P policy).

Lorrie


On Mar 3, 2004, at 8:44 AM, Rigo Wenning wrote:

>
> Dear all,
>
> I had some talks with Massimo and Mark Nottingham here at the TP in
> Cannes. I have interesting conclusions but I don't have a clue yet how
> to formulate that in the specification.
>
> 1/ Discussion with Mark Nottingham
>
> I discussed the attribute with Mark and the most important remark he
> made was, that there is a very fundamental distinction between applying
> the p3p-attribute on data contained in the element being send over the
> wire and an interface description (like WSDL[1]). Mark suggests that we
> only treat interfaces for the moment and defer the data-sending to 
> later
> (epal?) work.
>
> 2/ Discussion with Massimo
>
> Before and after having talked to Mark, I've talked a lot with Massimo.
> I found out that Massimo's but also Lorrie's approach correspond to 
> what
> Mark calls the data approach. In fact, they assume that data is
> contained in the element <foo 
> xsd:p3patt="p3p.xml"><bar>Rigo</bar></foo>
> Now they claim that not anybody will treat that chunk of XML the way
> as defined in p3p.xml when <foo... is send over the wire.
>
> But this makes the protocol assumption underlying to cc/pp and is the
> flip-side of P3P. In fact it makes the protocol assumption that the
> policy is sent with the data and constrains the recipient of that data.
> This, in terms of P3P, is not possible, as it would mean one is sending
> privacy preferences over the wire. We don't do that and it has complete
> different semantics. So the only thing we know to do today is, that
> if I receive -say- a WSDL interface description with a p3p-attribute
> on it, I know that when submitting data to that interface, my data will
> be treated in the way described in the P3P policy.
>
> If sending data over the wire, it is like sending preferences (like
> cc/pp does). Once we agreed on this, Massimo had no concerns anymore.
>
> The issue is now to find a language to constrain our attribute so that
> it could only apply to interfaces and not to data send over the wire. 
> We
> will probably also need some words to avoid the misunderstanding
> described above (sending data over the wire) as it is most common or
> even the preferred interpretation of most people.
>
> I hope this might help Lorrie in drafting her proposal.
>
>
>   1. http://www.w3.org/TeamSubmission/2004/SUBM-p3p-wsdl-20040213/
> -- 
> Rigo Wenning            W3C/ERCIM
> Policy Analyst          Privacy Activity Lead
> mail:rigo@w3.org        2004, Routes des Lucioles
> http://www.w3.org/      F-06902 Sophia Antipolis
>
Received on Wednesday, 3 March 2004 09:33:52 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:30 EST