- From: Cutler, Roger (RogerCutler) <RogerCutler@ChevronTexaco.com>
- Date: Thu, 19 Dec 2002 17:47:23 -0600
- To: www-ws-arch@w3.org
- Message-ID: <7FCB5A9F010AAE419A79A54B44F3718E01817C64@bocnte2k3.boc.chevrontexaco.net>
I can't figure out if I know a little more about P3P than some of the people on the call today -- or a lot less. I certainly am not a P3P expert, but I have looked at how it works. And it impressed me how little of it is truly automated. It seems to me that there is considerable possiblity for P3P to mix ungracefully with a machine-to-machine automated web services environment. For example, if A invokes a web service at B, sending some information to B and expecting some information back -- B may, under the covers, call a web service at C. Although I have not seen it explicitly called out (and maybe it should be), I think that this may be truly under the covers. That is, I don't think it is reasonable to force B to tell A that it has called, or is going to call, C. I think that such a requirement could cause a lot of trouble for commercial applications, including security concerns. In that case, how in the heck does the P3P policy of C get into the act? My understanding is that this is not at all trivial -- and maybe even beyond the scope of P3P as it stands. As usual, my apologies if I have flawed understanding of what's going on here and am just spreading confusion.
Received on Thursday, 19 December 2002 18:47:31 UTC