Re: XMLP WG Issue 240 Resolution

Lorrie, as you requested, I will put your issue on the WS CG's next telcon
agenda. I think the crux of this issue is that someone needs to take on the
work of actually demonstrating and specifying how a policy is associated
with a SOAP meesage.
Regards,
David

............................................
David C. Fallside, IBM
Ext Ph: 530.477.7169
Int  Ph: 544.9665
fallside@us.ibm.com



Wednesday, October 16, 2002 10:28 AM
To: "Hugo Haas" <hugo@w3.org>
cc: <xmlp-comments@w3.org>, <www-ws-cg@w3.org>, "P3P Specification Group"
<w3c-p3p-specification@w3.org>
From: "Lorrie Cranor" <lorrie@research.att.com>
Subject: Re: XMLP WG Issue 240 Resolution




While I am quite glad to see the presence of AC020 in the
web services architecture requirements document, I have
two concerns:

1) We understood the XMLP requirement to mean that specific
mechanisms would be specified, while the working group
has instead intepreted it to mean simply to create a spec
which would make it possible for someone else to specify
specific mechanisms. Since AC020 uses the term "enable"
I fear that this requirement may be interpreted in a similar
way, and it might be argued that the requirement has already
been met since nothing in the proposed architecture
prevents mechanisms from being built to do these things -- there
for it enables privacy protection. Therefore, I would like to see
a requirement that actually mandates that a working group
create something rather than just develop an architecture
absent of obstacles to the future creation of something.

2) I am concerned about your statement "the Web
Services Architecture Working Group will tackle the problem, or at
least place some requirements on a Working Group which will craft a
concrete solution to it." I think that it is important that privacy
get built into web services sooner than later. Privacy protection
can be relatively easy to build into systems when it is built
in from the beginning, while retrofitting systems later tends
to make it more expensive. Since web services technology
is already being deployed, we need to get privacy built into
it as soon as possible. We need someone to take on this
task in the short term, and not leave open the possibility
that a working group will think about this for a while and then
delegate it to another working group.

Lorrie


----- Original Message -----
From: "Hugo Haas" <hugo@w3.org>
To: "Lorrie Cranor" <lorrie@research.att.com>
Cc: <xmlp-comments@w3.org>; <www-ws-cg@w3.org>; "P3P Specification Group"
<w3c-p3p-specification@w3.org>
Sent: Wednesday, October 16, 2002 11:33 AM
Subject: Re: XMLP WG Issue 240 Resolution


> Hi Lorrie.
>
> * Lorrie Cranor <lorrie@research.att.com> [2002-10-16 09:40-0400]
> > The P3P Specification working group is not satisfied with
> > the resolution to issue 240 [2]. We do not believe the XMLP
> > group has met the requirement that it be possible "to associate
> > a P3P Privacy Policy with an XMLP message." Nonetheless,
> > given that the XMLP working group does not believe that
> > further work on this issue is within their charter, we would
> > be satisfied if the issue would be assigned to another web
> > services working group which does have a charter that
> > permits it to work on this.
> >
> > The P3P Specification working group hereby requests that
> > the issue we raised with the XMLP group in [2]
> > be considered by the WS CG so that a process can be
> > put in place by which this issue can be resolved. It is critical
> > that this issue not fall between the cracks simply because
> > no group believes it fits within their charter. The P3P
> > Specification working group would be happy to assist one
> > of the web services groups in resolving this issue. Perhaps
> > this issue could be resolved most expediantly by appointing
> > a cross-group task force that inclues a couple of members
> > from the P3P group and a couple of members from one of the
> > web services groups.
>
> To understand the issue a little better, how does your request relate
> to the Web services architecture requirement AR020.5[3]:
>
>   The WSA must enable delegation and propagation of privacy policy.
>
> It seems that this requirement covers this, and therefore that the Web
> Services Architecture Working Group will tackle the problem, or at
> least place some requirements on a Working Group which will craft a
> concrete solution to it.
>
> AR020.5 came out of the following scenario, which needs to be
> integrated into the Web Services Architecture Usage Scenarios
> document:
>
>   http://lists.w3.org/Archives/Public/www-ws-arch/2002Jul/0368.html
>
> This scenario doesn't explicitely call out for a P3P policy concretely
> traveling along with a message, but I think that it covers the
> situations.
>
> Regards,
>
> Hugo
>
>   3. http://www.w3.org/TR/2002/WD-wsa-reqs-20021011#AC020
> --
> Hugo Haas - W3C
> mailto:hugo@w3.org - http://www.w3.org/People/Hugo/
>

Received on Wednesday, 16 October 2002 13:44:52 UTC