Ref: the Beyond HTTP (BH) Task Force from Patrick.Hung@csiro.au on 2003-04-23 (public-p3p-spec@w3.org from April 2003)

From: <Patrick.Hung@csiro.au>
Date: Thu, 24 Apr 2003 02:17:58 +1000
To: reagle@w3.org, public-p3p-spec@w3.org
Message-ID: <754324CDE8E4EE4498D8E0357D91368501600EED@saab-bt.act.cmis.CSIRO.AU>

Thanks for your message, Joseph. Here are my comments.

"I'll note this as more evidence that p3p:PURPOSE is likely to be a part of 
the vocabularly most likely to change. However, I'm thinking it will be 
useful to distinguish the meta "purpose" of "current" and "other" from the 
other terms. I expect you'd want to user both of those terms independent of 
the others...?"

Yes, I do. In such a loosely coupled Web services execution environment, I 
am thinking whether we should have a general dictationary for p3p:PURPOSE 
(e.g., "current" and "other") and also some application-specific
dictationaries 
(e.g., financial applications) for p3p:PURPOSE in different scenarios?

"I haven't made an attempt at it yet -- has anyone else? -- but I hope
to soon. However, even without doing so, I ask myself if:
1. Does the privacy statement belong at the SOAP level, or HTTP? In the
majority of cases SOAP will be transported over HTTP, what happens if
both of a HTTP statement?"

I would expect that we may have to have P3P statements at both the HTTP (if
applicable) and SOAP level. At the HTTP level, the P3P statements should
work and behave the same as described in the original P3P Specification for 
the Web sites. At the SOAP level, the P3P statements should be on both
general and application-oriented semantics (it may be hard). What do you
think?

"This is an interesting point, if the web service client isn't a web
browser, 
it might not support cookies anyway. However, I don't think we can presume 
this just yet. Might be worth a few setences on the point."

For your information, you can even send a SOAP message by a plain text
e-mail message as long as the Web service can interpret e-mail message
like those mailing list server (e.g., subscribe).

"> > 2. Does the privacy statement belong at the WSDL level? Not every
> > service must have a service description. And if they did for the
> > purposes of privacy then *have* to fetch the WSDL before proceeding
> > with the interaction? My sense here is that SOAP would trump the
> > OPTIONAL WSDL definition.
>
> Referring to the first question, do we need separate P3P (privacy)
> policies for each operation
> (web method) in a Web service? Then, for the second question, it may be
> closely related to
> the matchmaking process between Web service requestors and providers. 

Oh, good point. I'll add this as an issue to the outline I'm working on."

As WS-Policy is mainly for specifying the security requirements, I guess
that there may have a flag to identify the privacy requirement in WS-Policy
such as "require" or "not require." Then if the "require" flag is set to
true, 
Web services must retrieve their WS-Privacy document (like P3P Policy) for 
validation by using APPEL? OR something like that.

Do we have a meeting call on April 30?

Received on Wednesday, 23 April 2003 12:18:06 UTC