Re: D-AC020.1 discussion points from Hugo Haas on 2002-05-08 (www-ws-arch@w3.org from May 2002)

From: Hugo Haas <hugo@w3.org>
Date: Tue, 7 May 2002 15:28:43 -1000
To: www-ws-arch@w3.org
Message-ID: <20020508012843.GE3517@w3.org>
* Christopher Ferris <chris.ferris@sun.com> [2002-05-04 10:00-0400]
> MSFT: While this has a place among the requirements for a WS architecture,
> it's subordination to the reference architecture obliges us to requenst
> more discurssion.
> 
> WVST: +1 
> http://lists.w3.org/Archives/Member/member-wsa-ballots/2002May/0220.html

See discussion below.

> HP: The wording is problematic. Suggest:
> 
> It must be possible for a service consumer to ascertain the privacy policies
> of a web service.

See rewording discussion below.

> And now this seems to be more of a requirement than a CSF.
> 
> ORCL: Shouldn't this be stated as a requirement. A service consumer
> MUST be able to deterimine the privacy policies .....

It actually was supposed to be phrased as a requirement as mentionned
in [1]. Retrospectively, D-AC020.1 should indeed be D-AR020.1.

> PF: I don't understand this.  How can a CSF be phrased as a question?

See rewording below, result of the discussion starting at [2].

> CMPQ: Seems to require more discussion.  E.g. What is the meaning of
> "knowing" the provider's privacy policies?  Having access to them?

The Web service providers should advertize their privacy policies
(e.g. with P3P[3]) and the Web service consumers should indeed have
access to them in order to decide whether to interact with the service
or not.

* Joseph Hui <jhui@digisle.net> [2002-05-03 16:11-0700]
> >   D-AC020.1
> > 
> >     A service consumer must be able to know the privacy 
> >     policies of the
> >     service provider(s) that it is going to interact with.
> 
> This sounds good, except the "service consumer must be able to" part
> seems to place the burden (of privacy policies) more on the consumer
> than on the provider.  If it's agreeable that the burden should be
> mostly (or even solely?) on the provider, then it may help to invert
> the statement to something like:
> 
>       A service provider MUST disclose its privacy policies in manners
>       that can be easily understood by the consumers.  In the absence
>       of such disclosure, a consumer (of the service) SHOULD assume
>       that neither the service nor its provider furnishes any privacy
>       policy.

A few comments about this:

- "in manners that can be easily understood": this may be vague.

- I think that I agree with Roger when he says that the first MUST is
  too strong. While we should definitely encourage the advertizing of
  privacy policies, it should be OK to have a Web service without any,
  e.g. if it is internal to an organization. SHOULD sounds better to
  me.

- While I agree with the second sentence, I think that it is too
  detailed for the requirements document and should go into the
  architecture document.

Regards,

Hugo

  1. http://lists.w3.org/Archives/Public/www-ws-arch/2002Apr/0099.html
  2. http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0034.html
  3. http://www.w3.org/TR/P3P/
-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - tel:+1-617-452-2092
Received on Tuesday, 7 May 2002 21:28:46 UTC