Re: [BH] Application Patterns and SOAP (Was: First (Very Rought) Outline of Beyond HTTP) from Joseph Reagle on 2003-06-02 (public-p3p-spec@w3.org from June 2003)

From: Joseph Reagle <reagle@w3.org>
Date: Mon, 2 Jun 2003 15:11:38 -0400
To: Patrick.Hung@csiro.au, public-p3p-spec@w3.org
Message-Id: <200306021511.38206.reagle@w3.org>

On Wednesday 28 May 2003 11:56, Patrick.Hung@csiro.au wrote:
> > The scenario I have in my mind is that SOAP is being used in an
> > "end-to-end"
> > model with an explicit understanding that various intermediaries will
> > be relevant. Te request/response is e2e between the user agent and
> > service
>
> I have a bit concern about your statement "with an explicit understanding
> that various intermediaries will be relevant." Do you mean that both SOAP
> sender and receiver realize that there exist some intermediaries but both
> SOAP sender and receiver do not have explicit knowledge of who and 
> where the intermediaries are on the Web?

I'm not willing to state the opposite: that, absent a mechanism for 
end-to-end security, a SOAP sender and receiver will be the only SOAP 
parties to see a message. "SOAP does not specify how such a message path is 
determined and followed." [1] In example 16 [2], a SOAP intermediary 
changed the message in a way that the sender did not necessarily know 
about.

[1] http://www.w3.org/TR/2002/CR-soap12-part0-20021219/
[2] http://www.w3.org/TR/2002/CR-soap12-part0-20021219/#Example6

> > (1) Should we also have to mention the privacy issues of audit trail
> > (e.g., log files)
> > at each Web service? We assume that all Web services are all seating
> > with the Web server
> > and so.
> >
> > How do you mean? The intermediaries?
>
> Yes, I mean the intermediaries. It is because there is no such serious
> concern at the SOAP sender side and also the ultimate receiver 
> should respect its own privacy policy (or I can name it as the 
> SOAP receiver's promise to the sender).

I'm still not sure I understand. We've already documented the question of 
(transparent) intermediaries (one can include a mandatory header of 
policies they must respect or use e2e security). If your question is that 
people typically only associate a P3P policy with an HTTP server's log, and 
there might be other logs that are relevant, I'm not sure. I think the 
governing section of P3P is "2.3.3 Applying a Policy to a URI". It has a 
bunch of examples, and we *could* include our own, but the basis is still 
about a method (GET, POST) on a URI, which is still perfectly applies to 
our scenarioius...?

> For the UDDI, here are my suggestions (very rought and have to check the
> syntax
> carefully) to put privacy policies at two levels: ...Anyway, we can 
> forget this point in this task force working draft.

OK, that's good to have in the back pocket 

> Should we also have a function to keep track of the changes in privacy
> policies?

You mean in the UDDI context specifically, or the in general. I don't see an 
immediate need for this, I presume policies are deprecated by simply 
removing an old policy from the dereferencing URI and replacing it with the 
new one...?

Received on Monday, 2 June 2003 15:11:45 UTC