RE: P3P and WSDL from Patrick.Hung@csiro.au on 2003-10-07 (public-p3p-spec@w3.org from October 2003)

From: <Patrick.Hung@csiro.au>
Date: Tue, 7 Oct 2003 20:18:22 +1000
To: plh@w3.org
Cc: rigo@w3.org, hugo@w3.org, w3t-archive@w3.org, public-p3p-spec@w3.org
Message-ID: <57C87AAEA6B0BC479B69F110575ECCCF05BA16@saab-bt.act.cmis.CSIRO.AU>
Hi Philippe,

Thank you very much for your message. My response is contained in
<patrick/>.

May I ask whether you have any suggestion for this task force? How should
this
task force work with the WSDL and SOAP working groups?

Many thanks again,

Patrick.

-----Original Message-----
From: Philippe Le Hegaret [mailto:plh@w3.org]
Sent: Friday, 3 October 2003 4:34 AM
To: Patrick C. K. Hung
Cc: Rigo Wenning; Hugo Haas; w3t-archive@w3.org
Subject: P3P and WSDL


Patrice,

I came across the "P3P: Beyond HTTP" note and in particular the section
related to WSDL:
[[
 <import namespace='http://www.w3.org/P3P/2003/p3p-beyond-http/'
location='wsdl-p3p-extension.xsd'/>
 <my:Privacy rel='P3Pv1'
href='http://registry.example.com/P3P/policy-register.xml'/>
]]

Here are some ideas/thoughts regarding the document from my WSDL point
of view.

I can see two ways to attach a P3P to a WSDL:
1- by reference
2- by inclusion
<patrick>Yes, Rigo, Hugo and I have been discussing this issue. I agree with
you.</patrick>

1- By reference

This is your example. The privacy element links to a P3P file. However,
the section fails - to indicate what happens if the P3P file make
statements on a set of URIs (using the INCLUDE element) that happens to
differ from the location of the service (in the soap:address or
http:address elements).
<patrick>Would you please further explain it? It is expected to have a
revised P3P language for describing privacy policies in the context of 
Web services. Thus, I am not very sure what do you mean.</patrick>

- to indicate that the statements are only applicable to the information
going from the registrant to the registry. What happen to the
information going from the registry to the registrant? Can't the
registry indicates its preferences to the registry? If yes, should the
                                 <patrick>^^^^^^^^ registrant?</patrick>
registry indicate its preferences using a SOAP header in the output
messages or in the WSDL as well?
<patrick>This is a very interesting point. At this minute, we only 
consider uni-directional scenario. We will explore this point in the working
draft for next version.</patrick>

- to indicate how one can apply one specific per operation. Your example
only shows how to set a registry but doesn't contain an operation for a
get. One can imagine to apply different sets of policy on the set and
get operations.
<patrick>I will send you some slides that describe this scenario
separately.</patrick>

2- by inclusion

This case is not addressed in your document. The extensibility model of
WSDL allows to put P3P elements and attributes in all sections of the
description. Imho, it is reasonable to include P3P POLICY elements in
the WSDL at the interface, operation, or service level.
<patrick>Yes, I agree with you.</patrick>

In either case, can you apply/reference more than one policy in a WSDL?
If yes, does it have a meaning (i.e. can you merge two policies?)?
<patrick>
In theory, we can apply more than one policy in WSDL. In the 
first cut, we would expect that there should have a logical AND in
privacy policies described in different levels.

-- Given that a WSDL description or UDDI entry is OPTIONAL to the Web
Service, associating a privacy policy with these descriptions is OPTIONAL.
However, when optional associations are provided, the adopting applications
MUST ensure that multiple associations do not conflict with each other or
the normative declaration from the application, via the Non-ambiguity
requirement of ([P3P], section 2.4.1), "Sites MUST be cautious in their
practices when they declare multiple policies for a given URI, and ensure
that they can actually honor all policies simultaneously." --
</patrick>

You should also mention the use of the wsdl:required attribute, to
indicate whether it is required to follow the privacy or privacy
preferences, otherwise a WSDL processor is entitled to ignore it.
<patrick>Yes, I agree with you. It is a good idea.</patrick>

WSDL, per decision on 20030703, dropped its extensibility using XML
Schema. This includes the wsdl:globalExt definition. So you can (and
must) remove your substitutionGroup='wsdl:globalExt' declaration from
the definition of the Privacy element.
<patrick>Thanks for your information.</patrick>

Philippe

-- 
Philippe Le Hegaret - http://www.w3.org/People/LeHegaret/
World Wide Web Consortium (W3C), Web Services Description Team Contact
Received on Tuesday, 7 October 2003 06:18:25 UTC