Re: Ref: the Beyond HTTP (BH) Task Force

Thank you for the comments Patrick.

On Saturday 19 April 2003 06:08, Patrick.Hung@csiro.au wrote:
> In fact, I have been thinking whether it is feasible and appropriate to
> implement/apply P3P
> into WS-Policy for the project. Anyway, the first job for me is to
> "modify/change/re-create"
> the PURPOSE elements (Section 3.3.4 from The P3P1.0 Specification) for
> this project. Thus,
> I have to define the <purposes/> of collecting/processing the health data
> as some specific
> purposes in the context of health data and epidemiological statistics,
> such as "<vital-statistics/>,"
> "<morbidity-statistics/>," and etc. Anyway, I am still studying on it.

I'll note this as more evidence that p3p:PURPOSE is likely to be a part of 
the vocabularly most likely to change. However, I'm thinking it will be 
useful to distinguish the meta "purpose" of "current" and "other" from the 
other terms. I expect you'd want to user both of those terms independent of 
the others...?

> > I haven't made an attempt at it yet -- has anyone else? -- but I hope
> > to soon. However, even without doing so, I ask myself if:
> > 1. Does the privacy statement belong at the SOAP level, or HTTP? In the
> > majority of cases SOAP will be transported over HTTP, what happens if
> > both
> >
> > of a HTTP statement?
>
> As HTTP is a carrier for SOAP messages, I don't really get what you mean
> here. Do you mean
> that what happens if both "Web service requestor" and "Web service
> provider" using HTTP and
> no SOAP message?

No, what happens if the HTTP header has a P3P statement, and the SOAP 
message has one too, and they don't agree, or they do in parts but not in 
others?

> By "my understanding," it should not be possible for a Web service
> requestor (i.e., Web service) to set

This is an interesting point, if the web service client isn't a web browser, 
it might not support cookies anyway. However, I don't think we can presume 
this just yet. Might be worth a few setences on the point.

> > 2. Does the privacy statement belong at the WSDL level? Not every
> > service must have a service description. And if they did for the
> > purposes of privacy then *have* to fetch the WSDL before proceeding
> > with the interaction? My sense here is that SOAP would trump the
> > OPTIONAL WSDL definition.
>
> Referring to the first question, do we need separate P3P (privacy)
> policies for each operation
> (web method) in a Web service? Then, for the second question, it may be
> closely related to
> the matchmaking process between Web service requestors and providers. 

Oh, good point. I'll add this as an issue to the outline I'm working on.

Received on Tuesday, 22 April 2003 17:53:33 UTC