Re: [BH] First (Very Rought) Outline of Beyond HTTP from Joseph Reagle on 2003-05-07 (public-p3p-spec@w3.org from May 2003)

From: Joseph Reagle <reagle@w3.org>
Date: Wed, 7 May 2003 13:02:39 -0400
To: Patrick.Hung@csiro.au, public-p3p-spec@w3.org
Message-Id: <200305071302.39868.reagle@w3.org>

On Wednesday 07 May 2003 10:53, Patrick.Hung@csiro.au wrote:
> Just get back to my seat for this working draft of WSDL + SOAP from other
> tasks.

Patrick, we're definitely on the same page here.

> Once the user's privacy preferences are all satisfied with the
> registrar's WS-P3P policy,
> the user should try to bind with the registrar's service(s) by SOAP
> messaging [Stage 1], no matter
> the carrier is HTTP or SMTP. So, this is the very simple story. Up to
> this moment, there
> is no need to specify any "privacy" stuff in the SOAP header??!!

I'd disagree, because you're scenario ALWAYS presumes that I will check the 
WSDL before I interact via SOAP. What happens if I already know the service 
and plan on using them? I have to check the WSDL every time just to make 
sure the policy hasn't changed. I'm presently thinking:
1. The policy needs to be bound to the layer (application) of the data 
solicitation and transport as closely as possible.
2. Other "layers" may have restatements of the policies. So if I'm searching 
for a service, I might look at the policies via UDDI or WSDL.
3. Any policy that is discovered must be honored. Before I was taking the 
"higher layers trump lower layers", but I'm reconsidering that after 
rereading [1,2] and finding those heuristics to be very elegant. (And of 
course, what I'm presuming with respect to the WSDL/UDDI case is that these 
aren't different policies, just a "restatement". The WSDL description uses 
the same URI to the policy that is found in the subsequent SOAP header.)

[1] http://www.w3.org/TR/2002/REC-P3P-20020416/#ref_syntax
" As a practical note, however, placing many different P3P policies on 
different resources on a single page may make rendering the page and 
informing the user of the relevant policies difficult for user agents. 
Additionally, services are recommended to attempt to craft their policy 
reference files such that a single policy reference file covers any given 
"page"; this will speed up the user's browsing experience."
[2] http://www.w3.org/TR/2002/REC-P3P-20020416/#non-ambiguity
"User agents need to be able to determine unambiguously what policy applies 
to a given URI.... n those cases, the site will probably not be able to 
determine reliably which policy any given user has seen, and thus it MUST 
honor all policies (this is also the case for compact policies, cf. Section 
4.1 and Section 4.6). Sites MUST be cautious in their practices when they 
declare multiple policies for a given URI, and ensure that they can 
actually honor all policies simultaneously."

Received on Wednesday, 7 May 2003 13:02:47 UTC