W3C home > Mailing lists > Public > www-ws-arch@w3.org > January 2004

Fwd: RE: EDI and Security Text

From: David Booth <dbooth@w3.org>
Date: Wed, 07 Jan 2004 15:15:27 -0500
Message-Id: <5.1.0.14.2.20040107151118.01fd5410@localhost>
To: www-ws-arch@w3.org
Cc: Roger Cutler <RogerCutler@chevrontexaco.com>

[Forwarding to this list with Roger's permission.  This started out as an 
administrative issue, but since it evolved into discussing the text of the 
document, we thought we should move it to the public list.]


> >-----Original Message-----
> >From: w3c-ws-arch-request@w3.org [mailto:w3c-ws-arch-request@w3.org] On
> >Behalf Of Cutler, Roger (RogerCutler)
> >Sent: Wednesday, January 07, 2004 10:15 AM
> >To: David Booth; w3c-ws-arch@w3.org
> >Subject: RE: EDI and Security Text
> >
> >
> >
> >Yes.
> >
> >You didn't really have to do that, but it does make me more
> >comfortable. Thanks.
> >
> >Actually, at this point I think that reads rather well.
> >
> >-----Original Message-----
> >From: David Booth [mailto:dbooth@w3.org]
> >Sent: Wednesday, January 07, 2004 9:23 AM
> >To: Cutler, Roger (RogerCutler); w3c-ws-arch@w3.org
> >Subject: RE: EDI and Security Text
> >
> >
> >Roger,
> >
> >I've added another paragraph:
> >
> >"This is not to say that Web services tracking <emph>must</emph> be
> >done
> >
> >using URIs in this way.  Indeed, there are other ways tracking can be
> >performed, and any engineering design must take many factors into
> >consideration.  Rather, the point is to illuminate the fact that,
> >because Web services architecture is based on Web architecture, Web
> >services have
> >the <emph>possibility</emph> of taking advantage of this use of URIs."
> >
> >Does that address your concerns?
> >
> >At 05:15 PM 1/6/2004 -0600, Cutler, Roger (RogerCutler) wrote:
> > >I'm still a little queasy about this stuff, but certainly not enough
> > >so
> >
> > >to object strenuously to it.  I've already explained why, and I don't
>
> > >have much else to say about it ... So probably we should let it go as
>
> > >is.  I don't think it's a big deal, and reasonable folks can
> > >certainly differ on these things, particularly in something like this
>
> > >where the issue is less one of specifying a precise mechanism than
> > >generally indicating an approach.  Personally this is not an approach
>
> > >that I would be likely to spend a lot of effort pointing to, but ...
> > >
> > >In other words, "Fine with me ... Sort of ..."
> > >
> > >-----Original Message-----
> > >From: w3c-ws-arch-request@w3.org [mailto:w3c-ws-arch-request@w3.org]
> > >On
> >
> > >Behalf Of David Booth
> > >Sent: Saturday, January 03, 2004 9:49 PM
> > >To: Cutler, Roger (RogerCutler); w3c-ws-arch@w3.org
> > >Subject: RE: EDI and Security Text
> > >
> > >
> > >
> > >Roger,
> > >
> > >I added some text in section 3.8.5 acknowledging that security is
> > >still
> >
> > >needed even if URIs are used use to simplify tracking:
> > >
> > >[[
> > >Furthermore, a URI can be clickable: If the URI also represents the
> > >location of a document (or a dynamic query into a database), it could
>
> > >act as a convenient link for determining the status or history of
> > >that transaction, provided the user is authorized to access such
> >information.
> > >
> > >(Security mechanisms will need to ensure that a tracking URI cannot
> > >be dereferenced without proper authority and privacy controls, but
> > >the use
> >
> > >of URIs is largely orthogonal to this requirement.)
> > >]]
> > >
> > >
> > >At 11:18 AM 12/18/2003 -0600, Cutler, Roger (RogerCutler) wrote:
> > > >I think your comments about URI's in the context of tracking are
> > > >interesting and that they suggest one approach to the issue.  I
> > > >think
> >
> > > >that this is not, however, the only way of dealing with it and it
> > > >might
> > >
> > > >not even be the most likely one.  The reason I say this is that I
> > > >have noticed that in business applications having something be
> > > >"clickable" is often actually perceived as a liability and is
> > > >carefully avoided. (Sorry, REST folks).  There are various reasons
> > > >for this involving security and the validity of the operation.
> > > >That is, one does NOT want
> > >
> > > >to make it easy to bookmark something that makes sense only in the
> > > >context of a transaction unless the full context is somehow brought
>
> > > >along, and if that full context is somehow brought along that may
> > > >raise
> > >
> > > >security issues.
> > > >
> > > >Labeling things with URI's for the purpose of tracking is an idea
> > > >that I think has potential, but I think you'd have to think very
> > > >carefully about how to do it in a way that really works and does
> > > >not lead to undesirable side effects.
> > > >
> > > >Of course, what I'm talking about here is a scheme where URI's
> > > >somehow represent the entire tracking mechanism, or are
> > > >functionally complete in some sense by themselves.  A sort of REST
> > > >approach to tracking, perhaps. Obviously a mechanism for tracking
> > > >that involves a
> >
> > > >uniform query interface, analogous to or part of the management
> > > >interface, would make use of URI's in one way or another.
> > > >
> > > >Having said that, I'm not really objecting to the text you put in.
> > > >I'm
> > >
> > > >not sure whether the discussion above suggests some addition to it
> > > >or
> >
> > > >whether it's best just left alone.
> > > >
> > > >-----Original Message-----
> > > >From: David Booth [mailto:dbooth@w3.org]
> > > >Sent: Wednesday, December 17, 2003 3:54 PM
> > > >To: Cutler, Roger (RogerCutler); w3c-ws-arch@w3.org
> > > >Subject: Re: EDI and Security Text
> > > >
> > > >
> > > >
> > > > >You agreed to review for possible inclusion in the document:
> > > > >
> > > > >EDI Text -
> > > > >http://lists.w3.org/Archives/Public/www-ws-arch/2003Nov/0005.html
> > > >
> > > >Done.  I thought it was excellent text, and included it all (with
> > > >minor
> > >
> > > >editorial changes):
> > > >http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/ws/arch/wsa/wd-wsa-arc
> > > >h-
> > > >re
> > > >v
> > > >iew2.html#edi
> > > >I also added some text to that section (subject to the group's
>review
> > >of
> > > >
> > > >course) regarding the relationship of the WS Architecture to the
> > > >Web Architecture, and the potential value of URIs in the context of
>
> > > >tracking.  Let me know what you think.
> > > >
> > > >Oh, there was one sentence that I thought needed a little more
> > > >clarification.  I've added an editor's note about it.  Could you
> > > >take
> >
> > > >a
> > >
> > > >look at it?  It's at
> > > >http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/ws/arch/wsa/wd-wsa-arc
> > > >h-
> > > >re
> > > >v
> > > >iew2.html#edi-tracking-need
> > > >
> > > >
> > > >--
> > > >David Booth
> > > >W3C Fellow / Hewlett-Packard
> > > >Telephone: +1.617.253.1273
> > >
> > >--
> > >David Booth
> > >W3C Fellow / Hewlett-Packard
> > >Telephone: +1.617.253.1273
> >
> >--
> >David Booth
> >W3C Fellow / Hewlett-Packard
> >Telephone: +1.617.253.1273
>
>--
>David Booth
>W3C Fellow / Hewlett-Packard
>Telephone: +1.617.253.1273

-- 
David Booth
W3C Fellow / Hewlett-Packard
Telephone: +1.617.253.1273
Received on Wednesday, 7 January 2004 15:15:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:24 GMT