RE: [BH] Application Patterns and SOAP (Was: First (Very Rought) Outline of Beyond HTTP) from Patrick.Hung@csiro.au on 2003-06-03 (public-p3p-spec@w3.org from June 2003)

From: <Patrick.Hung@csiro.au>
Date: Tue, 3 Jun 2003 11:48:54 +1000
To: reagle@w3.org, public-p3p-spec@w3.org
Message-ID: <754324CDE8E4EE4498D8E0357D91368501601182@saab-bt.act.cmis.CSIRO.AU>

> > > (1) Should we also have to mention the privacy issues of audit trail
> > > (e.g., log files)
> > > at each Web service? We assume that all Web services are all seating
> > > with the Web server
> > > and so.
> > >
> > > How do you mean? The intermediaries?
> >
> > Yes, I mean the intermediaries. It is because there is no such serious
> > concern at the SOAP sender side and also the ultimate receiver 
> > should respect its own privacy policy (or I can name it as the 
> > SOAP receiver's promise to the sender).
> 
> I'm still not sure I understand. We've already documented the question of 
> (transparent) intermediaries (one can include a mandatory header of 
> policies they must respect or use e2e security). If your question is that 
> people typically only associate a P3P policy with an HTTP server's log,
and 
> there might be other logs that are relevant, I'm not sure. I think the

Yes, there are some other logs beside the HTTP server's log such as the 
application can also keep its logs, e.g., ASP.NET.

> governing section of P3P is "2.3.3 Applying a Policy to a URI". It has a 
> bunch of examples, and we *could* include our own, but the basis is still 
> about a method (GET, POST) on a URI, which is still perfectly applies to 
> our scenarioius...?

Yes, it is fine.

> > Should we also have a function to keep track of the changes in privacy
> > policies?
>
> You mean in the UDDI context specifically, or the in general. I don't see
an 
> immediate need for this, I presume policies are deprecated by simply 
> removing an old policy from the dereferencing URI and replacing it with
the 
> new one...?

I mean in general. I just wonder whether there is any practice for privacy
policies
mangement? If an organizaiton changes its privacy policy, what's happened if
there
is conflicts between old and new one? Can the data's subject has the right
to ask
for remedies? Do we also have to cature these issues in P3P? Maybe these
issues are
not relevant to this document; they are more on the management side or even
strongly
relate to legal aspects. Just some thoughts.

In the coming few days, I will check the document and see whether we miss
any important
points.

Thanks and talk to you later.

Patrick.

Received on Monday, 2 June 2003 21:49:08 UTC