- From: <Patrick.Hung@csiro.au>
- Date: Sat, 19 Apr 2003 20:08:00 +1000
- To: public-p3p-spec@w3.org
Hi Joseph, Referring to the document at http://www.w3.org/P3P/2003/04-beyond-http.html and your message posted on Mar 29, here are some comments. > The most interesting/difficult requirement is with respect to delegation and > propagation. The Web Services Architecture Usage Scenarios has a Third > Party Intermediary scenario [4] that is perhaps closes to what we would > want to do? > > [4] http://www.w3.org/TR/2002/WD-ws-arch-scenarios-20020730/#S030 > > While I've looked at the WS-Policy specifications [5] I think it's perhaps > best to play with this scenario in the context of a SOAP message header [6] > or a WSDL definition [7] for the time being. > [5] > http://msdn.microsoft.com/webservices/understanding/default.aspx?pull=/libra ry/en-us/dnglobspec/html/wspolicyspecindex.asp > [6] http://www.w3.org/TR/soap12-part1/#muprocessing > [7] http://www.w3.org/TR/2001/NOTE-wsdl-20010315#A3 I have done a bit about WS-Policy and also the delegation issues of Web services for a health informatics project by using Web services technologies. If you are interested in it, you can check some relevant information at: http://www.eti.hku.hk/eti/web/download/WSS2003.pdf http://www.cmis.csiro.au/Patrick.Hung/documents/Hung-Qiu-2003-IEEE-CEC03.pdf In fact, I have been thinking whether it is feasible and appropriate to implement/apply P3P into WS-Policy for the project. Anyway, the first job for me is to "modify/change/re-create" the PURPOSE elements (Section 3.3.4 from The P3P1.0 Specification) for this project. Thus, I have to define the <purposes/> of collecting/processing the health data as some specific purposes in the context of health data and epidemiological statistics, such as "<vital-statistics/>," "<morbidity-statistics/>," and etc. Anyway, I am still studying on it. > I haven't made an attempt at it yet -- has anyone else? -- but I hope to > soon. However, even without doing so, I ask myself if: > 1. Does the privacy statement belong at the SOAP level, or HTTP? In the > majority of cases SOAP will be transported over HTTP, what happens if both > of a HTTP statement? As HTTP is a carrier for SOAP messages, I don't really get what you mean here. Do you mean that what happens if both "Web service requestor" and "Web service provider" using HTTP and no SOAP message? > An application specification MUST specify where relevant P3P statements can be found. We recommend > that a higher/abstract layer MAY include the privacy policy of layers it is dependent upon, but that lower > layers SHOULD NOT represent the policies of higher layers. For example, an application that transfers data > with SOAP over HTTP that uses cookies, MUST specify: > > 1. the P3P policy associated with SOAP is normative and includes the HTTP policy, or > 2. there are distinct P3P policies associated with the SOAP and HTTP layers. By "my understanding," it should not be possible for a Web service requestor (i.e., Web service) to set cookies at the side of Web service requestor (e.g., an application program or even another Web service), except the Web services requestor's interface resides in a browser. The Web service provider always resides in a Web server. > 2. Does the privacy statement belong at the WSDL level? Not every service > must have a service description. And if they did for the purposes of > privacy then *have* to fetch the WSDL before proceeding with the > interaction? My sense here is that SOAP would trump the OPTIONAL WSDL > definition. Referring to the first question, do we need separate P3P (privacy) policies for each operation (web method) in a Web service? Then, for the second question, it may be closely related to the matchmaking process between Web service requestors and providers. In the workflow environment, the service locators (i.e., matchmakers) may have to deal with the P3P policies from both tasks and Web services by using APPEL. Please correct me if I misunderstood anything. Thanks, -------------------------------------- Patrick C. K. Hung Research Scientist, Security and Privacy Group Commonwealth Scientific & Industrial Research Organisation (CSIRO) CSIRO Mathematical and Information Sciences (CMIS) GPO Box 664, Canberra, ACT 2601, Australia Ph: +612 6216 7031, Fax: +612 6216 7111 Email: Patrick.Hung@csiro.au URL: www.cmis.csiro.au/Patrick.Hung
Received on Saturday, 19 April 2003 06:08:04 UTC