Re: lightly edited TAG input to DAP WG per 8 Oct and tell Noah

Right!  If the infrastructure does not exist it's no use communicating 
policies.
I agree that it would be good to change the wording.
All the best, Ashok


Jonathan Rees wrote:
> Just a minor comment on how to spin this. It seems to me that the
> difference between security architecture and policy architecture is
> that policy is about communication within and among system components
> that are already trusted (assumed to be well-intentioned), and its
> purpose is not to constrain them but to inform them. A security
> infrastructure is simply a way to implementat a given policy. So
> what's needed is to make sure that policy, as information, flows to
> all system components that need to be informed by it, and is "in your
> face" so that it's easier for a well-meaning programmer to cause it to
> be applied than to ignore it through ignorance or oversight.
>
> So instead of "the ability to use policy information to control access
> to user data, retention of user data and related concerns", how about
> "the ability to communicate policy information so that it can be used
> to determine correct access to and retention of user data and
> resources"? Of course you can't use it if you don't have it, so
> logically this goes without saying, but rhetorically speaking I think
> a shift of this kind might help.
>
> Putting it this way sidesteps the argument that David Baron cites.
> Even if policy is determined once by a standards body instead of
> differentially per site or per user, the communication channel (in
> that case, from the spec writer to the programmer) still has to be
> there; moving the locus of policy origin simply changes the endpoints
> and medium.
>
> Jonathan
>
> On Sun, Nov 29, 2009 at 8:19 PM, Larry Masinter <masinter@adobe.com> wrote:
>   
>> ACTION-321
>>
>>
>>
>> I dropped the ball on this, I’m afraid. Here’s my attempt at
>>
>> editing the note from Ashok[1] based on our discussion in
>>
>> October [2] I hope I captured the sense we wanted.
>>
>>
>>
>> [1] http://lists.w3.org/Archives/Public/www-tag/2009Sep/0073.html
>>
>> [2] http://www.w3.org/2001/tag/2009/10/08-minutes#item05
>>
>>
>>
>>
>>
>> Larry
>>
>>
>>
>>
>>
>> ===============================================================
>>
>>
>>
>> The W3C Policy Languages Interest Group maintains a Wiki which contains
>>
>> real world cases where personal information has been compromised due to
>>
>> inadequate policy or poor/nonexistent enforcement:
>>
>> http://www.w3.org/Policy/pling/wiki/InterestingCases. One of these cases
>>
>> describes how Virgin Mobile used photos that it found on Flickr in a
>>
>> national advertising program.  The photos appeared on large billboards,
>>
>> much to the surprise of the owner and the subject.
>>
>>
>>
>> In the public mind, issues related to the management and protection of
>>
>> user information in Web Applications, Device access over the Web and
>>
>> Services provided over the Web loom large and must be addressed.  The
>>
>> TAG, therefore, urges WGs working in these areas to include in their
>>
>> architecture the ability to use policy information to control access
>>
>> to user data, retention of user data and related concerns. Addressing
>>
>> these concerns should be a requirement, although the details of how
>>
>> they are addressed may vary by application. For example, a working
>>
>> group might provide mechanisms for including policy information in API
>>
>> calls in a flexible manner.
>>
>>
>>
>> There has been some dialog in this area.  The IETF GeoPriv WG has
>>
>> requested the W3C Geolocation WG to add additional support for user
>>
>> privacy.  See:
>>
>> http://lists.w3.org/Archives/Public/public-geolocation/2009Aug/0006.html
>>
>>
>>
>> There is a discussion thread on this subject on the Geolocation Mailing
>>
>> list:
>>
>> http://lists.w3.org/Archives/Public/public-geolocation/2009Jun/thread.html#msg98
>>
>>
>>     
>
>

Received on Monday, 30 November 2009 16:44:37 UTC