Re: [BH] First (Very Rought) Outline of Beyond HTTP from Patrick.Hung@csiro.au on 2003-05-27 (public-p3p-spec@w3.org from May 2003)

From: <Patrick.Hung@csiro.au>
Date: Tue, 27 May 2003 16:02:19 +1000
To: reagle@w3.org, public-p3p-spec@w3.org
Message-ID: <754324CDE8E4EE4498D8E0357D91368501601113@saab-bt.act.cmis.CSIRO.AU>

Hi Joseph,

Referring to my previous e-mail, I just want to mention a few points here
for
further discussion.

> In particular, those three types of
> information flow may be used to determine the role of SOAP intermediaries.
> I will spend more thoughts on it next week and discuss with you later.

Referring to [1], those three variables are related to the SOAP Message
Exchange Patterns
(MEPs) discussed in [2].

"Points of Decision 
In [P3P], the user's agent (the point of decision) is typically his network
client.
However, one can also imagine a trusted network service acting as the user's
agent 
(managing the user's identity, information and enforcing his preferences).
In PROVREG 
and EPAL services themselves are exchanging policies and making decisions."

This is somehow relevant to the role of SOAP message sender and ultimate
receiver in 
the SOAP architecture.
 
"Points of Aggregation 
A service which solicits information from a user for redistribution to other
services 
might choose to first collect and combine the policies of its peers and
represent the 
p3p:recipients as having the "same" policy, or it might ask for separate
parcels of 
information under a different policy corresponding to each of the recipients
which it 
transfers data to." 

Part of these requirements should be very close to the "Table 3: SOAP Nodes
Forwarding 
behavior" [2]. Should we have to enhance the "next" role with more behaviors
to handle
the proposed privacy policy? For example, the privacy policy, say in P3P, at
the 
SOAP intermediaries with the "next" role must contain "<current/> and
<admin/> for 
<PURPOSE/> and also <no-retention/> for <RETENTION/>. 

Or we should define another new role as "user-defined" in [2]?

In addition, refering to the sample SOAP message in [1]: 
"<env:Header
xmlns='http://registry.example.com/2003/soap-header-p3p-extension.xsd'
xmlns:env='http://www.w3.org/2003/05/soap-envelope' id='header'>
  <Privacy env:role='http://www.w3.org/2003/05/soap-envelope/role/next'
env:mustUnderstand='true'>
    <rel>P3Pv1</rel>
    <href>http://registry.example.com/P3P/PolicyReferences.xml</href>
  </Privacy>
</env:Header>"

FYI. There is no "relay" attribute specified here because "The relay
attribute information 
item has no effect on the SOAP processing model when the header block also
carries a 
mustUnderstand attribute information item with a value of "true". [2]

[1] http://www.w3.org/P3P/2003/p3p-beyond-http/Overview.html
[2] http://www.w3.org/TR/2003/PR-soap12-part1-20030507/

Other minor issues may have to consider:
(1) Should we also have to mention the privacy issues of audit trail (e.g.,
log files) 
at each Web service? We assume that all Web services are all seating with
the Web server 
and so.
(2) In the future, should we also think about the internationalization of
P3P policies in 
this Web services execution environment? It is bcause there are different
privacy laws in
different countries or even between different states.

Anyway, more thoughts are need...

Thanks and talk to you later.

Patrick.

Received on Tuesday, 27 May 2003 02:02:36 UTC