Re: P3P Generic Attribute for XML Applications from Mark Nottingham on 2004-05-25 (public-p3p-spec@w3.org from May 2004)

From: Mark Nottingham <mark.nottingham@bea.com>
Date: Tue, 25 May 2004 16:01:24 -0700
To: Rigo Wenning <rigo@w3.org>
Cc: public-p3p-spec@w3.org, Lorrie Cranor <lorrie@cs.cmu.edu>
Message-Id: <724814F0-AE9F-11D8-B15D-000A95BD86C0@bea.com>

Hi Rigo, sorry for the delay responding.

On May 4, 2004, at 9:54 AM, Rigo Wenning wrote:

>> Ah, yes; that should do it. Does ENTITY have some mechanism for
>> identifying an anonymous party (e.g., "Anyone I send THIS message to 
>> me
>> MUST conform to this privacy policy)? I'd imagine there are cases 
>> where
>> people using this attribute won't want to explicitly enumerate the
>> entity responsible for conforming to the policy.
>
> Mark, here you fall exactly into the trap of the wrong protocol.
> You send PREFERENCES instead of POLICY in your example ;)
> You don't go to the supermarket to impose your conditions. You
> accept their conditions.

I agree that there are different models; if one were to generalise 
them, they might be
   Entity X will honour policy P when handling data D.
for "policy" (e.g., P3P), and
   Entity Y requires entity X to honour policy P when handling data D.
for "preferences (e.g., EPAL).

My original point was slightly different; in both cases, the data is 
identified as D; P3P specifies this by associating policy with "data 
that is submitted to resource R" but this is really just a referential 
way to identify D.

> In data protection, you need the ENTITY element to be able
> to get to your rights as you can't force your rights against
> anonymous. In a web-service scenario, this is tricky as the
> WS interacting can be a privacy client in one second and a
> data controller in the next second.
> Imagine WS1 discovering WS2. WS1 is requesting something to
> WS2 and finds the P3P Policy in the WSDL. The PP is good and
> WS1 makes its request. If there is need for feedback and WS2
> makes a request to WS1, WS2 would have to check the P3P Policy
> of WS1 first.
>
> (Note that this only applies if _personal_ data is involved, means
> some end-user or request on behalf of an end-user)
> Sending Policies forward and saying SOAP "must understand"
> can't be solved with P3P, it needs EPAL.

Would you agree that the vocabulary for describing the policy and means 
of specifying it could be the same for either application, with the 
only difference being the assertions about who is requiring or 
committing to do what with them?

Regards,

--
Mark Nottingham   Principal Technologist
Office of the CTO   BEA Systems

Received on Tuesday, 25 May 2004 19:01:34 UTC