W3C home > Mailing lists > Public > www-tag@w3.org > November 2009

Re: lightly edited TAG input to DAP WG per 8 Oct and tell Noah

From: Jonathan Rees <jar@creativecommons.org>
Date: Mon, 30 Nov 2009 08:48:37 -0500
Message-ID: <760bcb2a0911300548l18464de6q8e7aac7307dc067@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Cc: "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, "www-tag@w3.org" <www-tag@w3.org>
Just a minor comment on how to spin this. It seems to me that the
difference between security architecture and policy architecture is
that policy is about communication within and among system components
that are already trusted (assumed to be well-intentioned), and its
purpose is not to constrain them but to inform them. A security
infrastructure is simply a way to implementat a given policy. So
what's needed is to make sure that policy, as information, flows to
all system components that need to be informed by it, and is "in your
face" so that it's easier for a well-meaning programmer to cause it to
be applied than to ignore it through ignorance or oversight.

So instead of "the ability to use policy information to control access
to user data, retention of user data and related concerns", how about
"the ability to communicate policy information so that it can be used
to determine correct access to and retention of user data and
resources"? Of course you can't use it if you don't have it, so
logically this goes without saying, but rhetorically speaking I think
a shift of this kind might help.

Putting it this way sidesteps the argument that David Baron cites.
Even if policy is determined once by a standards body instead of
differentially per site or per user, the communication channel (in
that case, from the spec writer to the programmer) still has to be
there; moving the locus of policy origin simply changes the endpoints
and medium.

Jonathan

On Sun, Nov 29, 2009 at 8:19 PM, Larry Masinter <masinter@adobe.com> wrote:
> ACTION-321
>
>
>
> I dropped the ball on this, I’m afraid. Here’s my attempt at
>
> editing the note from Ashok[1] based on our discussion in
>
> October [2] I hope I captured the sense we wanted.
>
>
>
> [1] http://lists.w3.org/Archives/Public/www-tag/2009Sep/0073.html
>
> [2] http://www.w3.org/2001/tag/2009/10/08-minutes#item05
>
>
>
>
>
> Larry
>
>
>
>
>
> ===============================================================
>
>
>
> The W3C Policy Languages Interest Group maintains a Wiki which contains
>
> real world cases where personal information has been compromised due to
>
> inadequate policy or poor/nonexistent enforcement:
>
> http://www.w3.org/Policy/pling/wiki/InterestingCases. One of these cases
>
> describes how Virgin Mobile used photos that it found on Flickr in a
>
> national advertising program.  The photos appeared on large billboards,
>
> much to the surprise of the owner and the subject.
>
>
>
> In the public mind, issues related to the management and protection of
>
> user information in Web Applications, Device access over the Web and
>
> Services provided over the Web loom large and must be addressed.  The
>
> TAG, therefore, urges WGs working in these areas to include in their
>
> architecture the ability to use policy information to control access
>
> to user data, retention of user data and related concerns. Addressing
>
> these concerns should be a requirement, although the details of how
>
> they are addressed may vary by application. For example, a working
>
> group might provide mechanisms for including policy information in API
>
> calls in a flexible manner.
>
>
>
> There has been some dialog in this area.  The IETF GeoPriv WG has
>
> requested the W3C Geolocation WG to add additional support for user
>
> privacy.  See:
>
> http://lists.w3.org/Archives/Public/public-geolocation/2009Aug/0006.html
>
>
>
> There is a discussion thread on this subject on the Geolocation Mailing
>
> list:
>
> http://lists.w3.org/Archives/Public/public-geolocation/2009Jun/thread.html#msg98
>
>
Received on Monday, 30 November 2009 13:49:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:18 GMT