Re: P3P Hairball?? from Christopher B Ferris on 2002-12-20 (www-ws-arch@w3.org from December 2002)

From: Christopher B Ferris <chrisfer@us.ibm.com>
Date: Fri, 20 Dec 2002 08:22:07 -0500
To: "Cutler, Roger (RogerCutler)" <RogerCutler@ChevronTexaco.com>
Cc: www-ws-arch@w3.org
Message-ID: <OFB9477C5C.063818D8-ON85256C95.00463743-85256C95.004948B4@rchland.ibm.com>

Hmmm... I'm no P3P expert either. However, my understanding is that a P3P
expression asserts policy of a site, or subsection of a site, not a 
client/user.

If B's policy says something like: "won't give your phone number to 3rd 
parties" then clearly B
would be violating its stated policy if it were passing this information 
on to another service
such as C, regardless of what that third party service's P3P policy might 
claim and regardless
of who C is. 

Now, if B's policy stated: "we do not use your email adresss to send you 
obnoxious spam
on a daily or more frequent basis" and did NOT make the claim that: "we 
won't send your
email to third parties" and B then sent A's email address on to C to 
fulfil
the request (or for any other reason AFAIK) and C's policy did not make 
such a claim, then
it isn't clear to me that B is violating its stated policy by giving the 
information to a third party
who's policy was inconsistent with its own.

Of course, the P3P REC does not provide a technical solution to automate 
enforcement
of a policy, as Roger has correctly cited, nor does P3P cover transferring 
data in its scope,
so this aspect of the discussion (transitive nature of P3P) may all be 
moot.

Cheers,

Christopher Ferris
Architect, Emerging e-business Industry Architecture
email: chrisfer@us.ibm.com
phone: +1 508 234 3624



"Cutler, Roger (RogerCutler)" <RogerCutler@ChevronTexaco.com> 
Sent by: www-ws-arch-request@w3.org
12/19/2002 06:47 PM

To
www-ws-arch@w3.org
cc

Subject
P3P Hairball??






I can't figure out if I know a little more about P3P than some of the 
people on the call today -- or a lot less.  I certainly am not a P3P 
expert, but I have looked at how it works.  And it impressed me how little 
of it is truly automated.  It seems to me that there is considerable 
possiblity for P3P to mix ungracefully with a machine-to-machine automated 
web services environment.
For example, if A invokes a web service at B, sending some information to 
B and expecting some information back -- B may, under the covers, call a 
web service at C.  Although I have not seen it explicitly called out (and 
maybe it should be), I think that this may be truly under the covers. That 
is, I don't think it is reasonable to force B to tell A that it has 
called, or is going to call, C.  I think that such a requirement could 
cause a lot of trouble for commercial applications, including security 
concerns.  In that case, how in the heck does the P3P policy of C get into 
the act?  My understanding is that this is not at all trivial -- and maybe 
even beyond the scope of P3P as it stands.
As usual, my apologies if I have flawed understanding of what's going on 
here and am just spreading confusion.

Received on Friday, 20 December 2002 10:34:06 UTC