RE: P3P and WSDL from Patrick.Hung@csiro.au on 2003-10-10 (public-p3p-spec@w3.org from October 2003)

From: <Patrick.Hung@csiro.au>
Date: Sat, 11 Oct 2003 01:53:25 +1000
To: plh@w3.org
Cc: rigo@w3.org, hugo@w3.org, w3t-archive@w3.org, public-p3p-spec@w3.org
Message-ID: <57C87AAEA6B0BC479B69F110575ECCCF05BA7E@saab-bt.act.cmis.CSIRO.AU>
Please check <patrick2> as follows.

-----Original Message-----
From: Philippe Le Hegaret [mailto:plh@w3.org]
Sent: Wednesday, 8 October 2003 4:49 AM
To: Patrick.Hung@csiro.au
Cc: Rigo Wenning; Hugo Haas; w3t-archive@w3.org; public-p3p-spec@w3.org
Subject: RE: P3P and WSDL


On Tue, 2003-10-07 at 06:24, Patrick.Hung@csiro.au wrote:
> One more thought.
> 
> Should it be possible to apply different sets of statements on the data.
> Imagine
> <information>
>   <name>Philippe</name>
>  <email>plh@w3.org</email>
> </information>
> 
> 
> and
> <operation name='send'>
>  <input element='information'/>
> </operation>
> 
> Should you be allowed to express a privacy for the name and a different
> one for email? If yes, then the policy will need to be referenced from
> the schema definition itself.
> <patrick>Yes, it should be allowed. I would like to ask for your opinions.
> In addition, would you please explain it more? Many thanks!</patrick>

Consider the following WSDL:

<definitions [...]>
 <types>
  <schema>
   <xs:element name="information">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="name" type="xs:string"/>
         <xs:element name="email" type="xs:anyURI"/>
         <xs:element name="creditCardNumber" type="xs:string"/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>    
   <xs:element name="result">
     [...]
   </xs:element>    
  </schema>
 </types>
 <my:Privacy rel='P3Pv1' href='http://www.example.org/p3p.xml'/>
 <interface name='QueryService'>
  <operation name='send'>
    <input element='information'/>
  </operation>
 </interface>
 [...]
</definitions>

One can imagine to apply a different privacy restriction on the
name and the email. For examples, the name and email will be used for
customer tracking purposes, and will be stored by the service, while the
credit card number won't be used except for this purchase, and the card
number won't be stored in any case.
The Privacy element applies to the transaction from the WS client to the
Web service and cannot be restrictied to a particular set of data. (on a
side note, I wonder why you need this rel='p3pv1' attribute at all.
don't you deal with versioning by just using namespaces?)

<patrick2>
Thanks a lot! You raise a good question. I will think about it.
</patrick2>

One approach to resolve this would be to use XML Schema annotations (but
they are other approaches and I'm not suggesting that XML Schema
annotations is the best approach):

   <xs:element name="information">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="name" type="xs:string">
          <xs:annotation>
           <xs:appinfo>
             <my:Privacy rel='P3Pv1' href='http://www.example.org/p3p.xml'/>
           </xs:appinfo>
          </xs:annotation>
         </xs:element>
         <xs:element name="email" type="xs:anyURI">
          <xs:annotation>
           <xs:appinfo>
             <my:Privacy rel='P3Pv1' href='http://www.example.org/p3p.xml'/>
           </xs:appinfo>
          </xs:annotation>
         </xs:element>
         <xs:element name="creditCardNumber" type="xs:string">
          <xs:annotation>
           <xs:appinfo>
             <my:Privacy rel='P3Pv1'
                  href='http://www.example.org/otherp3p.xml'/>
           </xs:appinfo>
          </xs:annotation>
         </xs:element>
       </xs:sequence>
     </xs:complexType>
   </xs:element>    

An other solution, used by the WSDL WG to deal with media types, would
be to use XML extensions:

    <xs:element name="information">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="name" type="xs:string"
           my:p3p='http://www.example.org/p3p.xml'/>
         <xs:element name="email" type="xs:anyURI"
           my:p3p='http://www.example.org/p3p.xml'/>
         <xs:element name="creditCardNumber" type="xs:string"
           my:p3p='http://www.example.org/otherp3p.xml'/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>    


In both cases, this would still require defining an element included in
the WSDL to indicate the WSDL processor must follow the rules of P3P:
<my:Privacy wsdl:required=true'/>
(or using a feature, but the WG is still discussing this issue)

<patrick2>
Thanks a lot for your explanation. Will include all your ideas in next
version.
</patrick2>

In any case, I don't think that this necessarily needs to be addressed
in the first version of the document but a future version will need to.

Philippe
Received on Friday, 10 October 2003 11:53:29 UTC