- From: Mark Nottingham <mark.nottingham@bea.com>
- Date: Tue, 25 May 2004 16:01:24 -0700
- To: Rigo Wenning <rigo@w3.org>
- Cc: public-p3p-spec@w3.org, Lorrie Cranor <lorrie@cs.cmu.edu>
Hi Rigo, sorry for the delay responding. On May 4, 2004, at 9:54 AM, Rigo Wenning wrote: >> Ah, yes; that should do it. Does ENTITY have some mechanism for >> identifying an anonymous party (e.g., "Anyone I send THIS message to >> me >> MUST conform to this privacy policy)? I'd imagine there are cases >> where >> people using this attribute won't want to explicitly enumerate the >> entity responsible for conforming to the policy. > > Mark, here you fall exactly into the trap of the wrong protocol. > You send PREFERENCES instead of POLICY in your example ;) > You don't go to the supermarket to impose your conditions. You > accept their conditions. I agree that there are different models; if one were to generalise them, they might be Entity X will honour policy P when handling data D. for "policy" (e.g., P3P), and Entity Y requires entity X to honour policy P when handling data D. for "preferences (e.g., EPAL). My original point was slightly different; in both cases, the data is identified as D; P3P specifies this by associating policy with "data that is submitted to resource R" but this is really just a referential way to identify D. > In data protection, you need the ENTITY element to be able > to get to your rights as you can't force your rights against > anonymous. In a web-service scenario, this is tricky as the > WS interacting can be a privacy client in one second and a > data controller in the next second. > Imagine WS1 discovering WS2. WS1 is requesting something to > WS2 and finds the P3P Policy in the WSDL. The PP is good and > WS1 makes its request. If there is need for feedback and WS2 > makes a request to WS1, WS2 would have to check the P3P Policy > of WS1 first. > > (Note that this only applies if _personal_ data is involved, means > some end-user or request on behalf of an end-user) > Sending Policies forward and saying SOAP "must understand" > can't be solved with P3P, it needs EPAL. Would you agree that the vocabulary for describing the policy and means of specifying it could be the same for either application, with the only difference being the assertions about who is requiring or committing to do what with them? Regards, -- Mark Nottingham Principal Technologist Office of the CTO BEA Systems
Received on Tuesday, 25 May 2004 19:01:34 UTC